1 line
4.0 MiB
1 line
4.0 MiB
{"3.8.1":{"release_date":"2014-01-23","changelog_url":"https://codex.wordpress.org/Version_3.8.1","status":"insecure","vulnerabilities":[{"id":5963,"title":"WordPress 1.0 - 3.8.1 administrator exploitable blind SQLi","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":null,"vuln_type":"SQLI","references":{"url":["https://security.dxw.com/advisories/sqli-in-wordpress-3-6-1/"]},"fixed_in":null},{"id":5964,"title":"WordPress 3.7.1 \u0026 3.8.1 Potential Authentication Cookie Forgery","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"url":["https://labs.mwrinfosecurity.com/blog/2014/04/11/wordpress-auth-cookie-forgery/","https://github.com/WordPress/WordPress/commit/78a915e0e5927cf413aa6c2cef2fca3dc587f8be"],"cve":["2014-0166"]},"fixed_in":"3.8.2"},{"id":5965,"title":"WordPress 3.7.1 \u0026 3.8.1 Privilege escalation: contributors publishing posts","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":null,"vuln_type":"BYPASS","references":{"url":["https://github.com/wpscanteam/wpscan/wiki/CVE-2014-0165"],"cve":["2014-0165"]},"fixed_in":"3.8.2"},{"id":5966,"title":"WordPress Plupload Unspecified XSS","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"BYPASS","references":{"secunia":["57769"]},"fixed_in":"3.8.2"},{"id":7526,"title":"WordPress 3.5 - 3.7.1 XML-RPC DoS","created_at":"2014-08-27T11:32:03.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/","http://www.breaksec.com/?p=6362"]},"fixed_in":"3.9.2"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7530,"title":"WordPress 3.6 - 3.9.1 XXE in GetID3 Library","created_at":"2014-09-16T18:19:44.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":null,"vuln_type":"XXE","references":{"url":["https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc","http://getid3.sourceforge.net/","http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html","https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav"],"cve":["2014-2053"]},"fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2015-04-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.8.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.8.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.8.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.8.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.8.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.8.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.9.7"}]},"3.8":{"release_date":"2013-12-12","changelog_url":"https://codex.wordpress.org/Version_3.8","status":"insecure","vulnerabilities":[{"id":5967,"title":"WordPress 3.7.1 \u0026 3.8 - Cleartext Admin Credentials Disclosure","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"url":["http://seclists.org/fulldisclosure/2013/Dec/135"]},"fixed_in":null},{"id":7526,"title":"WordPress 3.5 - 3.7.1 XML-RPC DoS","created_at":"2014-08-27T11:32:03.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/","http://www.breaksec.com/?p=6362"]},"fixed_in":"3.9.2"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7530,"title":"WordPress 3.6 - 3.9.1 XXE in GetID3 Library","created_at":"2014-09-16T18:19:44.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":null,"vuln_type":"XXE","references":{"url":["https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc","http://getid3.sourceforge.net/","http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html","https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav"],"cve":["2014-2053"]},"fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2015-04-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.8.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.8.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.8.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.8.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.8.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.8.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.9.7"}]},"3.7.1":{"release_date":"2013-10-29","changelog_url":"https://codex.wordpress.org/Version_3.7.1","status":"insecure","vulnerabilities":[{"id":5964,"title":"WordPress 3.7.1 \u0026 3.8.1 Potential Authentication Cookie Forgery","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"url":["https://labs.mwrinfosecurity.com/blog/2014/04/11/wordpress-auth-cookie-forgery/","https://github.com/WordPress/WordPress/commit/78a915e0e5927cf413aa6c2cef2fca3dc587f8be"],"cve":["2014-0166"]},"fixed_in":"3.7.2"},{"id":5965,"title":"WordPress 3.7.1 \u0026 3.8.1 Privilege escalation: contributors publishing posts","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":null,"vuln_type":"BYPASS","references":{"url":["https://github.com/wpscanteam/wpscan/wiki/CVE-2014-0165"],"cve":["2014-0165"]},"fixed_in":"3.7.2"},{"id":5967,"title":"WordPress 3.7.1 \u0026 3.8 - Cleartext Admin Credentials Disclosure","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"url":["http://seclists.org/fulldisclosure/2013/Dec/135"]},"fixed_in":null},{"id":5966,"title":"WordPress Plupload Unspecified XSS","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"BYPASS","references":{"secunia":["57769"]},"fixed_in":"3.7.2"},{"id":7526,"title":"WordPress 3.5 - 3.7.1 XML-RPC DoS","created_at":"2014-08-27T11:32:03.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/","http://www.breaksec.com/?p=6362"]},"fixed_in":"3.9.2"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7530,"title":"WordPress 3.6 - 3.9.1 XXE in GetID3 Library","created_at":"2014-09-16T18:19:44.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":null,"vuln_type":"XXE","references":{"url":["https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc","http://getid3.sourceforge.net/","http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html","https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav"],"cve":["2014-2053"]},"fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2015-04-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.7.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.7.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.7.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.7.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.6":{"release_date":"2013-08-01","changelog_url":"https://codex.wordpress.org/Version_3.6","status":"insecure","vulnerabilities":[{"id":5968,"title":"WordPress 3.6 - PHP Object Injection","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2013-09-11T00:00:00.000Z","vuln_type":"OBJECTINJECTION","references":{"url":["http://vagosec.org/2013/09/wordpress-php-object-injection/","http://www.openwall.com/lists/oss-security/2013/09/12/1","http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4340","http://core.trac.wordpress.org/changeset/25325"],"cve":["2013-4338"],"secunia":["54803"]},"fixed_in":"3.6.1"},{"id":5969,"title":"WordPress 3.6 SWF/EXE File Upload XSS Weakness","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://core.trac.wordpress.org/changeset/25322"],"cve":["2013-5739"]},"fixed_in":"3.6.1"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":5971,"title":"WordPress 3.6 Post Authorship Spoofing","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://core.trac.wordpress.org/changeset/25321"],"cve":["2013-4340"],"secunia":["54803"]},"fixed_in":"3.6.1"},{"id":5972,"title":"WordPress 3.6 HTML File Upload XSS Weakness","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://core.trac.wordpress.org/changeset/25322"],"cve":["2013-5738"]},"fixed_in":"3.6.1"},{"id":5973,"title":"WordPress 3.6 Multiple Function Path Disclosure","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://seclists.org/fulldisclosure/2013/Nov/220"]},"fixed_in":null},{"id":5974,"title":"WordPress 3.6 Multiple Script Arbitrary Site Redirect","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://seclists.org/fulldisclosure/2013/Dec/174"]},"fixed_in":"3.6.1"},{"id":5975,"title":"WordPress 3.6 _wp_http_referer Parameter Reflected XSS","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2013/Dec/174"]},"fixed_in":"3.6.1"},{"id":7526,"title":"WordPress 3.5 - 3.7.1 XML-RPC DoS","created_at":"2014-08-27T11:32:03.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/","http://www.breaksec.com/?p=6362"]},"fixed_in":"3.9.2"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7530,"title":"WordPress 3.6 - 3.9.1 XXE in GetID3 Library","created_at":"2014-09-16T18:19:44.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":null,"vuln_type":"XXE","references":{"url":["https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc","http://getid3.sourceforge.net/","http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html","https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav"],"cve":["2014-2053"]},"fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.5.3"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.7.2"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.7.3"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.5.2":{"release_date":"2013-06-21","changelog_url":"https://codex.wordpress.org/Version_3.5.2","status":"insecure","vulnerabilities":[{"id":5976,"title":"WordPress 3.5.2 Media Library Multiple Function Path Disclosure","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":null,"vuln_type":"FPD","references":{"url":["http://websecurity.com.ua/6795/"]},"fixed_in":null},{"id":5977,"title":"WordPress 3.5.2 - SWFUpload Content Spoofing","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2013-07-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/wpscanteam/wpscan/issues/243","https://github.com/wordpress/secure-swfupload/issues/1","http://openwall.com/lists/oss-security/2013/07/18/11","https://github.com/wordpress/secure-swfupload/issues/1"],"cve":["2013-4144"]},"fixed_in":null},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":7526,"title":"WordPress 3.5 - 3.7.1 XML-RPC DoS","created_at":"2014-08-27T11:32:03.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/","http://www.breaksec.com/?p=6362"]},"fixed_in":"3.9.2"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.7.2"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.5.1":{"release_date":"2013-01-24","changelog_url":"https://codex.wordpress.org/Version_3.5.1","status":"insecure","vulnerabilities":[{"id":5978,"title":"Wordpress 3.4 - 3.5.1 /wp-admin/users.php Malformed s Parameter Path Disclosure","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":null,"vuln_type":"FPD","references":{"url":["http://seclists.org/fulldisclosure/2013/Jul/70"]},"fixed_in":"3.5.2"},{"id":5979,"title":"WordPress 3.4-3.5.1 DoS in class-phpass.php","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://seclists.org/fulldisclosure/2013/Jun/65"],"cve":["2013-2173"],"secunia":["53676"]},"fixed_in":"3.5.2"},{"id":5980,"title":"WordPress 3.5.1 Multiple XSS","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{},"fixed_in":"3.5.2"},{"id":5981,"title":"WordPress 3.5.1 TinyMCE Plugin Flash Applet Unspecified Spoofing Weakness","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{},"fixed_in":"3.5.2"},{"id":5983,"title":"WordPress 3.5-3.5.1 oEmbed Unspecified XML External Entity (XXE)","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"XXE","references":{"cve":["2013-2202"]},"fixed_in":"3.5.2"},{"id":5984,"title":"WordPress 3.5-3.5.1 Multiple Role Remote Privilege Escalation","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{},"fixed_in":"3.5.2"},{"id":5985,"title":"WordPress 3.5-3.5.1 HTTP API Unspecified Server Side Request Forgery (SSRF)","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":null,"vuln_type":"SSRF","references":{},"fixed_in":"3.5.2"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":7526,"title":"WordPress 3.5 - 3.7.1 XML-RPC DoS","created_at":"2014-08-27T11:32:03.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/","http://www.breaksec.com/?p=6362"]},"fixed_in":"3.9.2"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.7.2"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.5":{"release_date":"2012-12-11","changelog_url":"https://codex.wordpress.org/Version_3.5","status":"insecure","vulnerabilities":[{"id":5978,"title":"Wordpress 3.4 - 3.5.1 /wp-admin/users.php Malformed s Parameter Path Disclosure","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":null,"vuln_type":"FPD","references":{"url":["http://seclists.org/fulldisclosure/2013/Jul/70"]},"fixed_in":"3.5.2"},{"id":5986,"title":"WordPress 3.4 - 3.5.1 DoS in class-phpass.php","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://seclists.org/fulldisclosure/2013/Jun/65"],"cve":["2013-2173"],"secunia":["53676"]},"fixed_in":"3.5.2"},{"id":5987,"title":"WordPress 3.3.2 - 3.5 Cross-Site Scripting (XSS) (Issue 3)","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://github.com/wpscanteam/wpscan/wiki/WordPress-3.5-Issues"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":5990,"title":"WordPress 3.5 Shortcodes / Post Content Multiple Unspecified XSS","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://www.securityfocus.com/bid/57554/","http://securitytracker.com/id?1028045"],"cve":["2013-0236"],"secunia":["51967"]},"fixed_in":"3.5.1"},{"id":5966,"title":"WordPress Plupload Unspecified XSS","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"BYPASS","references":{"secunia":["57769"]},"fixed_in":"3.5.1"},{"id":7526,"title":"WordPress 3.5 - 3.7.1 XML-RPC DoS","created_at":"2014-08-27T11:32:03.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/","http://www.breaksec.com/?p=6362"]},"fixed_in":"3.9.2"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"fixed_in":"4.0"},{"id":5983,"title":"WordPress 3.5-3.5.1 oEmbed Unspecified XML External Entity (XXE)","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"XXE","references":{"cve":["2013-2202"]},"fixed_in":"3.5.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.7.2"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.4.2":{"release_date":"2012-09-06","changelog_url":"https://codex.wordpress.org/Version_3.4.2","status":"insecure","vulnerabilities":[{"id":5978,"title":"Wordpress 3.4 - 3.5.1 /wp-admin/users.php Malformed s Parameter Path Disclosure","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":null,"vuln_type":"FPD","references":{"url":["http://seclists.org/fulldisclosure/2013/Jul/70"]},"fixed_in":"3.5.2"},{"id":5986,"title":"WordPress 3.4 - 3.5.1 DoS in class-phpass.php","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://seclists.org/fulldisclosure/2013/Jun/65"],"cve":["2013-2173"],"secunia":["53676"]},"fixed_in":"3.5.2"},{"id":5987,"title":"WordPress 3.3.2 - 3.5 Cross-Site Scripting (XSS) (Issue 3)","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://github.com/wpscanteam/wpscan/wiki/WordPress-3.5-Issues"]},"fixed_in":null},{"id":5991,"title":"WordPress 3.4.2 Cross Site Request Forgery","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["http://packetstormsecurity.org/files/116785/WordPress-3.4.2-Cross-Site-Request-Forgery.html"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":5966,"title":"WordPress Plupload Unspecified XSS","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"BYPASS","references":{"secunia":["57769"]},"fixed_in":"3.5.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.4.1":{"release_date":"2012-06-27","changelog_url":"https://codex.wordpress.org/Version_3.4.1","status":"insecure","vulnerabilities":[{"id":5978,"title":"Wordpress 3.4 - 3.5.1 /wp-admin/users.php Malformed s Parameter Path Disclosure","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":null,"vuln_type":"FPD","references":{"url":["http://seclists.org/fulldisclosure/2013/Jul/70"]},"fixed_in":"3.5.2"},{"id":5986,"title":"WordPress 3.4 - 3.5.1 DoS in class-phpass.php","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://seclists.org/fulldisclosure/2013/Jun/65"],"cve":["2013-2173"],"secunia":["53676"]},"fixed_in":"3.5.2"},{"id":5987,"title":"WordPress 3.3.2 - 3.5 Cross-Site Scripting (XSS) (Issue 3)","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://github.com/wpscanteam/wpscan/wiki/WordPress-3.5-Issues"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":5966,"title":"WordPress Plupload Unspecified XSS","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"BYPASS","references":{"secunia":["57769"]},"fixed_in":"3.5.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.4":{"release_date":"2012-06-13","changelog_url":"https://codex.wordpress.org/Version_3.4","status":"insecure","vulnerabilities":[{"id":5978,"title":"Wordpress 3.4 - 3.5.1 /wp-admin/users.php Malformed s Parameter Path Disclosure","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":null,"vuln_type":"FPD","references":{"url":["http://seclists.org/fulldisclosure/2013/Jul/70"]},"fixed_in":"3.5.2"},{"id":5986,"title":"WordPress 3.4 - 3.5.1 DoS in class-phpass.php","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://seclists.org/fulldisclosure/2013/Jun/65"],"cve":["2013-2173"],"secunia":["53676"]},"fixed_in":"3.5.2"},{"id":5987,"title":"WordPress 3.3.2 - 3.5 Cross-Site Scripting (XSS) (Issue 3)","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://github.com/wpscanteam/wpscan/wiki/WordPress-3.5-Issues"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":5966,"title":"WordPress Plupload Unspecified XSS","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"BYPASS","references":{"secunia":["57769"]},"fixed_in":"3.5.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.3.3":{"release_date":"2012-06-27","changelog_url":"https://codex.wordpress.org/Version_3.3.3","status":"insecure","vulnerabilities":[{"id":5987,"title":"WordPress 3.3.2 - 3.5 Cross-Site Scripting (XSS) (Issue 3)","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://github.com/wpscanteam/wpscan/wiki/WordPress-3.5-Issues"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":5966,"title":"WordPress Plupload Unspecified XSS","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"BYPASS","references":{"secunia":["57769"]},"fixed_in":"3.5.1"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.3.2":{"release_date":"2012-04-20","changelog_url":"https://codex.wordpress.org/Version_3.3.2","status":"insecure","vulnerabilities":[{"id":5987,"title":"WordPress 3.3.2 - 3.5 Cross-Site Scripting (XSS) (Issue 3)","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://github.com/wpscanteam/wpscan/wiki/WordPress-3.5-Issues"]},"fixed_in":null},{"id":5992,"title":"Wordpress 3.3.1 Multiple CSRF Vulnerabilities","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"CSRF","references":{"exploitdb":["18791"]},"fixed_in":null},{"id":5993,"title":"WordPress 3.3.2 Cross-Site Scripting (XSS)","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://packetstormsecurity.org/files/113254"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2012-6633"]},"fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"MULTI","references":{"cve":["2012-6634"]},"fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"cve":["2012-6635"]},"fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":5966,"title":"WordPress Plupload Unspecified XSS","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"BYPASS","references":{"secunia":["57769"]},"fixed_in":"3.5.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.3.1":{"release_date":"2012-01-03","changelog_url":"https://codex.wordpress.org/Version_3.3.1","status":"insecure","vulnerabilities":[{"id":5997,"title":"WordPress 3.3.1 Multiple vulnerabilities including XSS \u0026 Privilege Escalation","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":null,"vuln_type":"MULTI","references":{"url":["http://wordpress.org/news/2012/04/wordpress-3-3-2/"]},"fixed_in":null},{"id":5998,"title":"Wordpress 3.3.1 - Multiple CSRF Vulnerabilities","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"CSRF","references":{"exploitdb":["18791"]},"fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2012-6633"]},"fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"MULTI","references":{"cve":["2012-6634"]},"fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"cve":["2012-6635"]},"fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.3":{"release_date":"2011-12-12","changelog_url":"https://codex.wordpress.org/Version_3.3","status":"insecure","vulnerabilities":[{"id":6000,"title":"WordPress 3.3 Reflected Cross-Site Scripting (XSS)","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://oldmanlab.blogspot.com/2012/01/wordpress-33-xss-vulnerability.html"]},"fixed_in":"3.3.1"},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2012-6633"]},"fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"MULTI","references":{"cve":["2012-6634"]},"fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"cve":["2012-6635"]},"fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.2.1":{"release_date":"2011-07-12","changelog_url":"https://codex.wordpress.org/Version_3.2.1","status":"insecure","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2012-6633"]},"fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"MULTI","references":{"cve":["2012-6634"]},"fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"cve":["2012-6635"]},"fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.2":{"release_date":"2011-07-04","changelog_url":"https://codex.wordpress.org/Version_3.2","status":"insecure","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2012-6633"]},"fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"MULTI","references":{"cve":["2012-6634"]},"fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"cve":["2012-6635"]},"fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.1.4":{"release_date":"2011-06-29","changelog_url":"https://codex.wordpress.org/Version_3.1.4","status":"insecure","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2012-6633"]},"fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"MULTI","references":{"cve":["2012-6634"]},"fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"cve":["2012-6635"]},"fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.1.3":{"release_date":"2011-05-25","changelog_url":"https://codex.wordpress.org/Version_3.1.3","status":"insecure","vulnerabilities":[{"id":6001,"title":"WordPress 3.1.3 wp-admin/link-manager.php Multiple Parameter SQL Injection","created_at":"2014-08-01T10:58:22.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"SQLI","references":{"secunia":["45099"],"exploitdb":["17465"]},"fixed_in":"3.1.4"},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2012-6633"]},"fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"MULTI","references":{"cve":["2012-6634"]},"fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"cve":["2012-6635"]},"fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.1.2":{"release_date":"2011-04-26","changelog_url":"https://codex.wordpress.org/Version_3.1.2","status":"insecure","vulnerabilities":[{"id":6002,"title":"Wordpress \u003c= 3.1.2 Clickjacking ","created_at":"2014-08-01T10:58:22.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://seclists.org/fulldisclosure/2011/Sep/219","http://www.securityfocus.com/bid/49730/"]},"fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2012-6633"]},"fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"MULTI","references":{"cve":["2012-6634"]},"fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"cve":["2012-6635"]},"fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.1.1":{"release_date":"2011-04-04","changelog_url":"https://codex.wordpress.org/Version_3.1.1","status":"insecure","vulnerabilities":[{"id":6003,"title":"WordPress 3.1 PCRE Library Remote DoS","created_at":"2014-08-01T10:58:22.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"DOS","references":{"cve":["2011-4957"]},"fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2012-6633"]},"fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"MULTI","references":{"cve":["2012-6634"]},"fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"cve":["2012-6635"]},"fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.1":{"release_date":"2011-02-23","changelog_url":"https://codex.wordpress.org/Version_3.1","status":"insecure","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2012-6633"]},"fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"MULTI","references":{"cve":["2012-6634"]},"fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"cve":["2012-6635"]},"fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":6003,"title":"WordPress 3.1 PCRE Library Remote DoS","created_at":"2014-08-01T10:58:22.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"DOS","references":{"cve":["2011-4957"]},"fixed_in":"3.1.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.0.6":{"release_date":"2011-04-26","changelog_url":"https://codex.wordpress.org/Version_3.0.6","status":"insecure","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2012-6633"]},"fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"MULTI","references":{"cve":["2012-6634"]},"fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"cve":["2012-6635"]},"fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.0.5":{"release_date":"2011-02-07","changelog_url":"https://codex.wordpress.org/Version_3.0.5","status":"insecure","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6004,"title":"WordPress \u003c= 3.0.5 wp-admin/press-this.php Privilege Escalation","created_at":"2014-08-01T10:58:23.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2011-5270"]},"fixed_in":"3.0.6"},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2012-6633"]},"fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"MULTI","references":{"cve":["2012-6634"]},"fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"cve":["2012-6635"]},"fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.0.4":{"release_date":"2010-12-29","changelog_url":"https://codex.wordpress.org/Version_3.0.4","status":"insecure","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6004,"title":"WordPress \u003c= 3.0.5 wp-admin/press-this.php Privilege Escalation","created_at":"2014-08-01T10:58:23.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2011-5270"]},"fixed_in":"3.0.6"},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2012-6633"]},"fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"MULTI","references":{"cve":["2012-6634"]},"fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"cve":["2012-6635"]},"fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.0.3":{"release_date":"2010-12-08","changelog_url":"https://codex.wordpress.org/Version_3.0.3","status":"insecure","vulnerabilities":[{"id":6005,"title":"WordPress 2.0 - 3.0.1 SQL Injection in do_trackbacks()","created_at":"2014-08-01T10:58:23.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"SQLI","references":{"exploitdb":["15684"]},"fixed_in":null},{"id":6006,"title":"Wordpress 3.0.3 stored XSS IE7,6 NS8.1","created_at":"2014-08-01T10:58:23.000Z","updated_at":"2018-08-29T19:12:59.000Z","published_date":null,"vuln_type":"XSS","references":{"exploitdb":["15858"]},"fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6004,"title":"WordPress \u003c= 3.0.5 wp-admin/press-this.php Privilege Escalation","created_at":"2014-08-01T10:58:23.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2011-5270"]},"fixed_in":"3.0.6"},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2012-6633"]},"fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"MULTI","references":{"cve":["2012-6634"]},"fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"cve":["2012-6635"]},"fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.0.2":{"release_date":"2010-11-30","changelog_url":"https://codex.wordpress.org/Version_3.0.2","status":"insecure","vulnerabilities":[{"id":6007,"title":"WordPress XML-RPC Interface Access Restriction Bypass","created_at":"2014-08-01T10:58:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{},"fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6004,"title":"WordPress \u003c= 3.0.5 wp-admin/press-this.php Privilege Escalation","created_at":"2014-08-01T10:58:23.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2011-5270"]},"fixed_in":"3.0.6"},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2012-6633"]},"fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"MULTI","references":{"cve":["2012-6634"]},"fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"cve":["2012-6635"]},"fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.0.1":{"release_date":"2010-07-29","changelog_url":"https://codex.wordpress.org/Version_3.0.1","status":"insecure","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6004,"title":"WordPress \u003c= 3.0.5 wp-admin/press-this.php Privilege Escalation","created_at":"2014-08-01T10:58:23.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2011-5270"]},"fixed_in":"3.0.6"},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2012-6633"]},"fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"MULTI","references":{"cve":["2012-6634"]},"fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"cve":["2012-6635"]},"fixed_in":"3.3.3"},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":6005,"title":"WordPress 2.0 - 3.0.1 SQL Injection in do_trackbacks()","created_at":"2014-08-01T10:58:23.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"SQLI","references":{"exploitdb":["15684"]},"fixed_in":"3.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.0":{"release_date":"2010-06-17","changelog_url":"https://codex.wordpress.org/Version_3.0","status":"insecure","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6004,"title":"WordPress \u003c= 3.0.5 wp-admin/press-this.php Privilege Escalation","created_at":"2014-08-01T10:58:23.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2011-5270"]},"fixed_in":"3.0.6"},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2012-6633"]},"fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"MULTI","references":{"cve":["2012-6634"]},"fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"cve":["2012-6635"]},"fixed_in":"3.3.3"},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0.1"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"REDIRECT","references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.9.2":{"release_date":"2010-02-15","changelog_url":"https://codex.wordpress.org/Version_2.9.2","status":"insecure","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.9.1":{"release_date":"2010-01-04","changelog_url":"https://codex.wordpress.org/Version_2.9.1","status":"insecure","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.9":{"release_date":"2009-12-18","changelog_url":"https://codex.wordpress.org/Version_2.9","status":"insecure","vulnerabilities":[{"id":6014,"title":"WordPress 2.9 Failure to Restrict URL Access","created_at":"2014-08-01T10:58:25.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"exploitdb":["11441"]},"fixed_in":null},{"id":6015,"title":"WordPress 2.9 - Failure to Restrict URL Access","created_at":"2014-08-01T10:58:25.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"url":["http://blog.dewhurstsecurity.com/2010/02/13/wordpress-2-9-failure-to-restrict-url-access.html"],"cve":["2010-0682"],"exploitdb":["11441"]},"fixed_in":"2.9.2"},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.8.6":{"release_date":"2009-11-12","changelog_url":"https://codex.wordpress.org/Version_2.8.6","status":"insecure","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.8.5":{"release_date":"2009-10-20","changelog_url":"https://codex.wordpress.org/Version_2.8.5","status":"insecure","vulnerabilities":[{"id":6016,"title":"WordPress \u003c= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution","created_at":"2014-08-01T10:58:25.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"exploitdb":["10089"]},"fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.8.4":{"release_date":"2009-08-12","changelog_url":"https://codex.wordpress.org/Version_2.8.4","status":"insecure","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.8.3":{"release_date":"2009-08-03","changelog_url":"https://codex.wordpress.org/Version_2.8.3","status":"insecure","vulnerabilities":[{"id":6017,"title":"Wordpress \u003c= 2.8.3 Remote Admin Reset Password ","created_at":"2014-08-01T10:58:25.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"exploitdb":["9410"]},"fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.8.2":{"release_date":"2009-07-20","changelog_url":"https://codex.wordpress.org/Version_2.8.2","status":"insecure","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.8.1":{"release_date":"2009-07-09","changelog_url":"https://codex.wordpress.org/Version_2.8.1","status":"insecure","vulnerabilities":[{"id":6018,"title":"Wordpress 2.8.1 (url) Remote Cross Site Scripting Exploit","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"exploitdb":["9250"]},"fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.8":{"release_date":"2009-06-11","changelog_url":"https://codex.wordpress.org/Version_2.8","status":"insecure","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.7.1":{"release_date":"2009-02-10","changelog_url":"https://codex.wordpress.org/Version_2.7.1","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.7":{"release_date":"2008-12-10","changelog_url":"https://codex.wordpress.org/Version_2.7","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.6.5":{"release_date":"2008-11-25","changelog_url":"https://codex.wordpress.org/Version_2.6.5","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.6.3":{"release_date":"2008-10-23","changelog_url":"https://codex.wordpress.org/Version_2.6.3","status":"insecure","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.6.2":{"release_date":"2008-09-08","changelog_url":"https://codex.wordpress.org/Version_2.6.2","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.6.1":{"release_date":"2008-08-15","changelog_url":"https://codex.wordpress.org/Version_2.6.1","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":6020,"title":"Wordpress 2.6.1 (SQL Column Truncation) Admin Takeover Exploit","created_at":"2014-08-01T10:58:27.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"exploitdb":["6421"]},"fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.6":{"release_date":"2008-07-15","changelog_url":"https://codex.wordpress.org/Version_2.6","status":"insecure","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.5.1":{"release_date":"2008-04-25","changelog_url":"https://codex.wordpress.org/Version_2.5.1","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.5":{"release_date":"2008-03-29","changelog_url":"https://codex.wordpress.org/Version_2.5","status":"insecure","vulnerabilities":[{"id":6021,"title":"Wordpress 2.5 Cookie Integrity Protection ","created_at":"2014-08-01T10:58:28.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/archive/1/archive/1/491356/100/0/threaded"],"cve":["2008-1930"]},"fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.3.3":{"release_date":"2008-02-05","changelog_url":"https://codex.wordpress.org/Version_2.3.3","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.3.2":{"release_date":"2007-12-29","changelog_url":"https://codex.wordpress.org/Version_2.3.2","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.3.1":{"release_date":"2007-10-26","changelog_url":"https://codex.wordpress.org/Version_2.3.1","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":6022,"title":"Wordpress \u003c= 2.3.1 Charset Remote SQL Injection ","created_at":"2014-08-01T10:58:29.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":null,"vuln_type":"SQLI","references":{"exploitdb":["4721"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.3":{"release_date":"2007-09-25","changelog_url":"https://codex.wordpress.org/Version_2.3","status":"insecure","vulnerabilities":[{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.2.3":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_2.2.3","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.2.2":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_2.2.2","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.2.1":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_2.2.1","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.2":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_2.2","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":6023,"title":"WordPress 2.2 (wp-app.php) Arbitrary File Upload Exploit","created_at":"2014-08-01T10:58:30.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"exploitdb":["4113"]},"fixed_in":null},{"id":6024,"title":"Wordpress 2.2 (xmlrpc.php) Remote SQL Injection Exploit","created_at":"2014-08-01T10:58:30.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"SQLI","references":{"exploitdb":["4039"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.1.3":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_2.1.3","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":6025,"title":"Wordpress 2.1.3 admin-ajax.php SQL Injection Blind Fishing Exploit","created_at":"2014-08-01T10:58:30.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":null,"vuln_type":"SQLI","references":{"exploitdb":["3960"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.1.2":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_2.1.2","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":6026,"title":"WordPress 'year' Cross-Site Scripting (XSS)","created_at":"2014-08-01T10:58:30.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://www.securityfocus.com/archive/1/archive/1/462374/100/0/threaded"],"secunia":["24485"]},"fixed_in":null},{"id":6027,"title":"WordPress 2.1.2 Authenticated XMLRPC SQL Injection","created_at":"2014-08-01T10:58:30.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":null,"vuln_type":"SQLI","references":{"url":["https://www.notsosecure.com/blog/2007/04/03/wordpress-212-xmlrpc-security-issues/","https://wordpress.org/news/2007/04/wordpress-213-and-2010/"],"cve":["2007-1897"],"secunia":["25108"],"exploitdb":["3656"]},"fixed_in":"2.1.3"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.1.1":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_2.1.1","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":6028,"title":"WordPress 2.1.1 - Command Execution Backdoor","created_at":"2014-08-01T10:58:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":null,"vuln_type":"RCE","references":{"url":["http://www.securityfocus.com/bid/22797/","https://exchange.xforce.ibmcloud.com/vulnerabilities/32807","http://wordpress.org/news/2007/03/upgrade-212/"],"cve":["2007-1277"],"secunia":["24374"]},"fixed_in":"2.1.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":7764,"title":"WordPress 2.1.1 - RCE Backdoor","created_at":"2015-01-23T11:45:22.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2007-03-02T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://wordpress.org/news/2007/03/upgrade-212/"]},"fixed_in":null},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.1":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_2.1","status":"insecure","vulnerabilities":[{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.0.11":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_2.0.11","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.0.10":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_2.0.10","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.0.9":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_2.0.9","status":"insecure","vulnerabilities":[{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.0.8":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_2.0.8","status":"insecure","vulnerabilities":[{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.0.7":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_2.0.7","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.0.6":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_2.0.6","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":6029,"title":"Wordpress \u003c= 2.0.6 wp-trackback.php Remote SQL Injection Exploit","created_at":"2014-08-01T10:58:32.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":null,"vuln_type":"SQLI","references":{"exploitdb":["3109"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.0.5":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_2.0.5","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":6030,"title":"Wordpress 2.0.5 Trackback UTF-7 Remote SQL Injection Exploit","created_at":"2014-08-01T10:58:32.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"SQLI","references":{"exploitdb":["3095"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.0.4":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_2.0.4","status":"insecure","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6031,"title":"WordPress 2.0.2 - 2.0.4 Paged Parameter SQL Injection ","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2018-08-29T19:12:59.000Z","published_date":null,"vuln_type":"SQLI","references":{"url":["http://www.securityfocus.com/bid/18779/"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.0.3":{"release_date":"2006-06-01","changelog_url":"https://codex.wordpress.org/Version_2.0.3","status":"unknown","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6031,"title":"WordPress 2.0.2 - 2.0.4 Paged Parameter SQL Injection ","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2018-08-29T19:12:59.000Z","published_date":null,"vuln_type":"SQLI","references":{"url":["http://www.securityfocus.com/bid/18779/"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.0.2":{"release_date":"2006-03-10","changelog_url":"https://codex.wordpress.org/Version_2.0.2","status":"unknown","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":6032,"title":"WordPress \u003c= 2.0.2 (cache) Remote Shell Injection Exploit","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"exploitdb":["6"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6031,"title":"WordPress 2.0.2 - 2.0.4 Paged Parameter SQL Injection ","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2018-08-29T19:12:59.000Z","published_date":null,"vuln_type":"SQLI","references":{"url":["http://www.securityfocus.com/bid/18779/"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.0.1":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_2.0.1","status":"insecure","vulnerabilities":[{"id":6033,"title":"Wordpress 1.5.1 - 2.0.2 wp-register.php Multiple Parameter XSS","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2007-5105","2007-5106"]},"fixed_in":"2.0.2"},{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"2.0":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_2.0","status":"insecure","vulnerabilities":[{"id":6033,"title":"Wordpress 1.5.1 - 2.0.2 wp-register.php Multiple Parameter XSS","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2007-5105","2007-5106"]},"fixed_in":"2.0.2"},{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/35584/"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":null,"vuln_type":"BYPASS","references":{"cve":["2010-5293"]},"fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5294"]},"fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2010-5295"]},"fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5296"]},"fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"cve":["2010-5297"]},"fixed_in":"3.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"1.5.2":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_1.5.2","status":"insecure","vulnerabilities":[{"id":6033,"title":"Wordpress 1.5.1 - 2.0.2 wp-register.php Multiple Parameter XSS","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2007-5105","2007-5106"]},"fixed_in":"2.0.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"1.5.1.3":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_1.5.1.3","status":"insecure","vulnerabilities":[{"id":6033,"title":"Wordpress 1.5.1 - 2.0.2 wp-register.php Multiple Parameter XSS","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2007-5105","2007-5106"]},"fixed_in":"2.0.2"},{"id":6034,"title":"Wordpress \u003c= 1.5.1.3 Remote Code Execution eXploit (metasploit)","created_at":"2014-08-01T10:58:34.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":null,"vuln_type":"RCE","references":{"cve":["2005-2612"],"secunia":["16386"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"1.5.1.2":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_1.5.1.2","status":"insecure","vulnerabilities":[{"id":6033,"title":"Wordpress 1.5.1 - 2.0.2 wp-register.php Multiple Parameter XSS","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2007-5105","2007-5106"]},"fixed_in":"2.0.2"},{"id":6035,"title":"WordPress \u003c= 1.5.1.2 - XMLRPC SQL Injection","created_at":"2014-08-01T10:58:34.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-02-03T00:00:00.000Z","vuln_type":"SQLI","references":{"cve":["2005-2108"],"secunia":["15831","15898"],"exploitdb":["1077"]},"fixed_in":"1.5.1.3"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":7765,"title":"WordPress \u003c= 1.5.1.2 - XMLRPC Eval Injection ","created_at":"2015-01-23T13:27:24.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2005-06-29T00:00:00.000Z","vuln_type":"RCE","references":{"url":["http://www.securityfocus.com/bid/14088/"],"cve":["2005-1921"]},"fixed_in":null},{"id":7766,"title":"WordPress \u003c= 1.5.1.2 - Multiple Cross-Site Scripting (XSS)","created_at":"2015-01-23T13:31:23.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2005-06-30T00:00:00.000Z","vuln_type":"XSS","references":{"cve":["2005-2107"],"secunia":["15831"]},"fixed_in":null},{"id":7767,"title":"WordPress \u003c= 1.5.1.2 - Email Spoofing","created_at":"2015-01-23T13:46:50.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2005-05-07T00:00:00.000Z","vuln_type":"BYPASS","references":{"cve":["2005-2109"],"secunia":["15831"]},"fixed_in":null},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"1.5.1.1":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/index.php?title=Version_1.5.1.1\u0026action=edit\u0026redlink=1","status":"insecure","vulnerabilities":[{"id":6033,"title":"Wordpress 1.5.1 - 2.0.2 wp-register.php Multiple Parameter XSS","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2007-5105","2007-5106"]},"fixed_in":"2.0.2"},{"id":6036,"title":"WordPress \u003c= 1.5.1.1 \"add new admin\" SQL Injection Exploit","created_at":"2014-08-01T10:58:34.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":null,"vuln_type":"SQLI","references":{"exploitdb":["1059"]},"fixed_in":null},{"id":6037,"title":"WordPress \u003c= 1.5.1.1 SQL Injection Exploit","created_at":"2014-08-01T10:58:34.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":null,"vuln_type":"SQLI","references":{"exploitdb":["1033"]},"fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":7615,"title":"WordPress 1.5 \u0026 1.5.1.1 - SQL Injection","created_at":"2014-09-27T13:44:45.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2005-01-06T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["http://www.securityfocus.com/bid/13809/"],"cve":["2005-1810"]},"fixed_in":"1.5.1.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":7765,"title":"WordPress \u003c= 1.5.1.2 - XMLRPC Eval Injection ","created_at":"2015-01-23T13:27:24.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2005-06-29T00:00:00.000Z","vuln_type":"RCE","references":{"url":["http://www.securityfocus.com/bid/14088/"],"cve":["2005-1921"]},"fixed_in":null},{"id":7766,"title":"WordPress \u003c= 1.5.1.2 - Multiple Cross-Site Scripting (XSS)","created_at":"2015-01-23T13:31:23.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2005-06-30T00:00:00.000Z","vuln_type":"XSS","references":{"cve":["2005-2107"],"secunia":["15831"]},"fixed_in":null},{"id":7767,"title":"WordPress \u003c= 1.5.1.2 - Email Spoofing","created_at":"2015-01-23T13:46:50.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2005-05-07T00:00:00.000Z","vuln_type":"BYPASS","references":{"cve":["2005-2109"],"secunia":["15831"]},"fixed_in":null},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"1.5.1":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_1.5.1","status":"insecure","vulnerabilities":[{"id":6033,"title":"Wordpress 1.5.1 - 2.0.2 wp-register.php Multiple Parameter XSS","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2007-5105","2007-5106"]},"fixed_in":"2.0.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"fixed_in":null},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":7765,"title":"WordPress \u003c= 1.5.1.2 - XMLRPC Eval Injection ","created_at":"2015-01-23T13:27:24.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2005-06-29T00:00:00.000Z","vuln_type":"RCE","references":{"url":["http://www.securityfocus.com/bid/14088/"],"cve":["2005-1921"]},"fixed_in":null},{"id":7766,"title":"WordPress \u003c= 1.5.1.2 - Multiple Cross-Site Scripting (XSS)","created_at":"2015-01-23T13:31:23.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2005-06-30T00:00:00.000Z","vuln_type":"XSS","references":{"cve":["2005-2107"],"secunia":["15831"]},"fixed_in":null},{"id":7767,"title":"WordPress \u003c= 1.5.1.2 - Email Spoofing","created_at":"2015-01-23T13:46:50.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2005-05-07T00:00:00.000Z","vuln_type":"BYPASS","references":{"cve":["2005-2109"],"secunia":["15831"]},"fixed_in":null},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"1.5":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_1.5","status":"unknown","vulnerabilities":[{"id":6038,"title":"WordPress 1.5 wp-trackback.php tb_id Parameter SQL Injection","created_at":"2014-08-01T10:58:34.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":null,"vuln_type":"SQLI","references":{"cve":["2005-1687"]},"fixed_in":"1.5.1"},{"id":6039,"title":"WordPress \u003c= 1.5 Multiple Vulnerabilities (XSS, SQLi)","created_at":"2014-08-01T10:58:34.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":null,"vuln_type":"MULTI","references":{"cve":["2005-1687","2005-1688"],"secunia":["15324"]},"fixed_in":"1.5.1"},{"id":6042,"title":"WordPress 1.5 template-functions-post.php Multiple Field XSS","created_at":"2014-08-01T10:58:35.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":null,"vuln_type":"XSS","references":{"cve":["2005-1102"]},"fixed_in":null},{"id":7615,"title":"WordPress 1.5 \u0026 1.5.1.1 - SQL Injection","created_at":"2014-09-27T13:44:45.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2005-01-06T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["http://www.securityfocus.com/bid/13809/"],"cve":["2005-1810"]},"fixed_in":"1.5.1.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":7765,"title":"WordPress \u003c= 1.5.1.2 - XMLRPC Eval Injection ","created_at":"2015-01-23T13:27:24.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2005-06-29T00:00:00.000Z","vuln_type":"RCE","references":{"url":["http://www.securityfocus.com/bid/14088/"],"cve":["2005-1921"]},"fixed_in":null},{"id":7766,"title":"WordPress \u003c= 1.5.1.2 - Multiple Cross-Site Scripting (XSS)","created_at":"2015-01-23T13:31:23.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2005-06-30T00:00:00.000Z","vuln_type":"XSS","references":{"cve":["2005-2107"],"secunia":["15831"]},"fixed_in":null},{"id":7767,"title":"WordPress \u003c= 1.5.1.2 - Email Spoofing","created_at":"2015-01-23T13:46:50.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2005-05-07T00:00:00.000Z","vuln_type":"BYPASS","references":{"cve":["2005-2109"],"secunia":["15831"]},"fixed_in":null},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.6.1":{"release_date":"2013-09-11","changelog_url":"https://codex.wordpress.org/Version_3.6.1","status":"insecure","vulnerabilities":[{"id":7526,"title":"WordPress 3.5 - 3.7.1 XML-RPC DoS","created_at":"2014-08-27T11:32:03.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/","http://www.breaksec.com/?p=6362"]},"fixed_in":"3.9.2"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7530,"title":"WordPress 3.6 - 3.9.1 XXE in GetID3 Library","created_at":"2014-09-16T18:19:44.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":null,"vuln_type":"XXE","references":{"url":["https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc","http://getid3.sourceforge.net/","http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html","https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav"],"cve":["2014-2053"]},"fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.5.3"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.7.2"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.7.3"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.9":{"release_date":"2014-04-16","changelog_url":"https://codex.wordpress.org/Version_3.9","status":"insecure","vulnerabilities":[{"id":7527,"title":" WordPress 3.9 \u0026 3.9.1 Unlikely Code Execution","created_at":"2014-09-16T17:10:42.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"RCE","references":{"url":["https://core.trac.wordpress.org/changeset/29389"],"cve":["2014-5203"]},"fixed_in":"3.9.2"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7530,"title":"WordPress 3.6 - 3.9.1 XXE in GetID3 Library","created_at":"2014-09-16T18:19:44.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":null,"vuln_type":"XXE","references":{"url":["https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc","http://getid3.sourceforge.net/","http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html","https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav"],"cve":["2014-2053"]},"fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":7697,"title":"WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists","created_at":"2014-11-30T19:09:16.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/30422"],"cve":["2014-9032"]},"fixed_in":"4.0.1"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2015-04-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"fixed_in":"4.1.2"},{"id":7933,"title":"WordPress 3.9-4.1.1 - Same-Origin Method Execution","created_at":"2015-04-22T17:06:43.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-04-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","http://zoczus.blogspot.fr/2015/04/plupload-same-origin-method-execution.html"],"cve":["2015-3439"]},"fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.9.7"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.9.8"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.9.8"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.9.8"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.9.8"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.9.8"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.9.9"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.9.9"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.9.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.9.10"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.9.20"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"3.9.1":{"release_date":"2014-05-08","changelog_url":"https://codex.wordpress.org/Version_3.9.1","status":"insecure","vulnerabilities":[{"id":7527,"title":" WordPress 3.9 \u0026 3.9.1 Unlikely Code Execution","created_at":"2014-09-16T17:10:42.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"RCE","references":{"url":["https://core.trac.wordpress.org/changeset/29389"],"cve":["2014-5203"]},"fixed_in":"3.9.2"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7530,"title":"WordPress 3.6 - 3.9.1 XXE in GetID3 Library","created_at":"2014-09-16T18:19:44.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":null,"vuln_type":"XXE","references":{"url":["https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc","http://getid3.sourceforge.net/","http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html","https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav"],"cve":["2014-2053"]},"fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":7697,"title":"WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists","created_at":"2014-11-30T19:09:16.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/30422"],"cve":["2014-9032"]},"fixed_in":"4.0.1"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2015-04-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.9.7"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.9.8"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.9.8"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.9.8"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.9.8"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.9.8"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.9.9"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.9.9"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.9.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.9.10"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.9.20"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"3.7":{"release_date":"2013-10-24","changelog_url":"https://codex.wordpress.org/Version_3.7","status":"insecure","vulnerabilities":[{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7530,"title":"WordPress 3.6 - 3.9.1 XXE in GetID3 Library","created_at":"2014-09-16T18:19:44.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":null,"vuln_type":"XXE","references":{"url":["https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc","http://getid3.sourceforge.net/","http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html","https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav"],"cve":["2014-2053"]},"fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2015-04-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.7.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.7.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.7.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.7.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.8.2":{"release_date":"2014-04-08","changelog_url":"https://codex.wordpress.org/Version_3.8.2","status":"insecure","vulnerabilities":[{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7530,"title":"WordPress 3.6 - 3.9.1 XXE in GetID3 Library","created_at":"2014-09-16T18:19:44.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":null,"vuln_type":"XXE","references":{"url":["https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc","http://getid3.sourceforge.net/","http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html","https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav"],"cve":["2014-2053"]},"fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2015-04-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.8.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.8.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.8.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.8.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.8.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.8.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.8.3":{"release_date":"2014-04-14","changelog_url":"https://codex.wordpress.org/Version_3.8.3","status":"insecure","vulnerabilities":[{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2018-08-29T19:13:10.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"fixed_in":"3.9.2"},{"id":7530,"title":"WordPress 3.6 - 3.9.1 XXE in GetID3 Library","created_at":"2014-09-16T18:19:44.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":null,"vuln_type":"XXE","references":{"url":["https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc","http://getid3.sourceforge.net/","http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html","https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav"],"cve":["2014-2053"]},"fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2015-04-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.8.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.8.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.8.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.8.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.8.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.8.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.9.2":{"release_date":"2014-08-06","changelog_url":"https://codex.wordpress.org/Version_3.9.2","status":"insecure","vulnerabilities":[{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2018-08-29T19:13:17.000Z","published_date":null,"vuln_type":"AUTHBYPASS","references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":7697,"title":"WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists","created_at":"2014-11-30T19:09:16.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/30422"],"cve":["2014-9032"]},"fixed_in":"4.0.1"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2015-04-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"fixed_in":"4.1.2"},{"id":7691,"title":"WordPress \u003c= 4.0 - CSRF in wp-login.php Password Reset","created_at":"2014-11-25T22:57:27.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/30418"],"cve":["2014-9033"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.9.7"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.9.8"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.9.8"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.9.8"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.9.8"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.9.8"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.9.9"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.9.9"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.9.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.9.10"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.9.20"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"4.0":{"release_date":"2014-09-04","changelog_url":"https://codex.wordpress.org/Version_4.0","status":"insecure","vulnerabilities":[{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":7697,"title":"WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists","created_at":"2014-11-30T19:09:16.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":null,"vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/30422"],"cve":["2014-9032"]},"fixed_in":"4.0.1"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2015-04-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"fixed_in":"4.1.2"},{"id":7933,"title":"WordPress 3.9-4.1.1 - Same-Origin Method Execution","created_at":"2015-04-22T17:06:43.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-04-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","http://zoczus.blogspot.fr/2015/04/plupload-same-origin-method-execution.html"],"cve":["2015-3439"]},"fixed_in":"4.1.2"},{"id":7691,"title":"WordPress \u003c= 4.0 - CSRF in wp-login.php Password Reset","created_at":"2014-11-25T22:57:27.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/30418"],"cve":["2014-9033"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.0.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"4.0.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"4.0.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"4.0.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"4.0.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"4.0.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.0.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.0.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.0.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.0.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.0.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.0.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.0.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.0.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"1.2":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_1.2","status":"unknown","vulnerabilities":[{"id":7613,"title":"WordPress 1.2-1.2.1 - Multiple Cross-Site Scripting (XSS)","created_at":"2014-09-27T13:35:32.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2004-12-31T00:00:00.000Z","vuln_type":"XSS","references":{"url":["http://www.securityfocus.com/bid/11268/"],"cve":["2004-1559"],"secunia":["12683"]},"fixed_in":"1.2.2"},{"id":7614,"title":"WordPress 1.2 - HTTP Response Splitting","created_at":"2014-09-27T13:39:17.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2004-12-31T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["http://www.securityfocus.com/bid/11348/"],"cve":["2004-1584"],"secunia":["12773"]},"fixed_in":"1.2.1"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":7765,"title":"WordPress \u003c= 1.5.1.2 - XMLRPC Eval Injection ","created_at":"2015-01-23T13:27:24.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2005-06-29T00:00:00.000Z","vuln_type":"RCE","references":{"url":["http://www.securityfocus.com/bid/14088/"],"cve":["2005-1921"]},"fixed_in":null},{"id":7766,"title":"WordPress \u003c= 1.5.1.2 - Multiple Cross-Site Scripting (XSS)","created_at":"2015-01-23T13:31:23.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2005-06-30T00:00:00.000Z","vuln_type":"XSS","references":{"cve":["2005-2107"],"secunia":["15831"]},"fixed_in":null},{"id":7767,"title":"WordPress \u003c= 1.5.1.2 - Email Spoofing","created_at":"2015-01-23T13:46:50.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2005-05-07T00:00:00.000Z","vuln_type":"BYPASS","references":{"cve":["2005-2109"],"secunia":["15831"]},"fixed_in":null},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"1.2.1":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_1.2.1","status":"insecure","vulnerabilities":[{"id":7613,"title":"WordPress 1.2-1.2.1 - Multiple Cross-Site Scripting (XSS)","created_at":"2014-09-27T13:35:32.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2004-12-31T00:00:00.000Z","vuln_type":"XSS","references":{"url":["http://www.securityfocus.com/bid/11268/"],"cve":["2004-1559"],"secunia":["12683"]},"fixed_in":"1.2.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":null,"vuln_type":"DOS","references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":null,"vuln_type":"SSRF","references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"fixed_in":"4.0.1"},{"id":7765,"title":"WordPress \u003c= 1.5.1.2 - XMLRPC Eval Injection ","created_at":"2015-01-23T13:27:24.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2005-06-29T00:00:00.000Z","vuln_type":"RCE","references":{"url":["http://www.securityfocus.com/bid/14088/"],"cve":["2005-1921"]},"fixed_in":null},{"id":7766,"title":"WordPress \u003c= 1.5.1.2 - Multiple Cross-Site Scripting (XSS)","created_at":"2015-01-23T13:31:23.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2005-06-30T00:00:00.000Z","vuln_type":"XSS","references":{"cve":["2005-2107"],"secunia":["15831"]},"fixed_in":null},{"id":7767,"title":"WordPress \u003c= 1.5.1.2 - Email Spoofing","created_at":"2015-01-23T13:46:50.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2005-05-07T00:00:00.000Z","vuln_type":"BYPASS","references":{"cve":["2005-2109"],"secunia":["15831"]},"fixed_in":null},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"0.70":{"release_date":"2003-05-27","changelog_url":"https://codex.wordpress.org/Version_0.70","status":"unknown","vulnerabilities":[{"id":7815,"title":"WordPress 0.7 - SQL Injection","created_at":"2015-03-01T11:34:31.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2003-06-02T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["http://www.kernelpanik.org/docs/kernelpanik/wordpressadv.txt"],"cve":["2003-1598"]},"fixed_in":"0.72"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"4.1":{"release_date":"2014-12-18","changelog_url":"https://codex.wordpress.org/Version_4.1","status":"insecure","vulnerabilities":[{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2015-04-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"fixed_in":"4.1.2"},{"id":7933,"title":"WordPress 3.9-4.1.1 - Same-Origin Method Execution","created_at":"2015-04-22T17:06:43.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-04-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","http://zoczus.blogspot.fr/2015/04/plupload-same-origin-method-execution.html"],"cve":["2015-3439"]},"fixed_in":"4.1.2"},{"id":7979,"title":"WordPress 4.1-4.2.1 - Unauthenticated Genericons Cross-Site Scripting (XSS)","created_at":"2015-05-11T09:36:36.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":"2015-05-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.2.2"]},"fixed_in":"4.1.5"},{"id":8043,"title":"WordPress 4.1 - 4.1.1 - Arbitrary File Upload","created_at":"2015-06-11T07:50:28.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2015-06-10T00:00:00.000Z","vuln_type":"UPLOAD","references":{"url":["http://www.openwall.com/lists/oss-security/2015/06/10/11","https://core.trac.wordpress.org/changeset/32172"]},"fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.1.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"4.1.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"4.1.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"4.1.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"4.1.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"4.1.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.1.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.1.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.1.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.1.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.1.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.1.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.1.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.1.1":{"release_date":"2015-02-18","changelog_url":"https://codex.wordpress.org/Version_4.1.1","status":"insecure","vulnerabilities":[{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2015-04-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"fixed_in":"4.1.2"},{"id":7933,"title":"WordPress 3.9-4.1.1 - Same-Origin Method Execution","created_at":"2015-04-22T17:06:43.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-04-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","http://zoczus.blogspot.fr/2015/04/plupload-same-origin-method-execution.html"],"cve":["2015-3439"]},"fixed_in":"4.1.2"},{"id":7945,"title":"WordPress \u003c= 4.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-27T06:51:01.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-04-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress2.html","http://packetstormsecurity.com/files/131644/"],"exploitdb":["36844"]},"fixed_in":"4.2.1"},{"id":7979,"title":"WordPress 4.1-4.2.1 - Unauthenticated Genericons Cross-Site Scripting (XSS)","created_at":"2015-05-11T09:36:36.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":"2015-05-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.2.2"]},"fixed_in":"4.1.5"},{"id":8043,"title":"WordPress 4.1 - 4.1.1 - Arbitrary File Upload","created_at":"2015-06-11T07:50:28.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2015-06-10T00:00:00.000Z","vuln_type":"UPLOAD","references":{"url":["http://www.openwall.com/lists/oss-security/2015/06/10/11","https://core.trac.wordpress.org/changeset/32172"]},"fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.1.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"4.1.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"4.1.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"4.1.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"4.1.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"4.1.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.1.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.1.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.1.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.1.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.1.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.1.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.1.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.2":{"release_date":"2015-04-23","changelog_url":"https://codex.wordpress.org/Version_4.2","status":"insecure","vulnerabilities":[{"id":7945,"title":"WordPress \u003c= 4.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-27T06:51:01.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-04-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress2.html","http://packetstormsecurity.com/files/131644/"],"exploitdb":["36844"]},"fixed_in":"4.2.1"},{"id":7979,"title":"WordPress 4.1-4.2.1 - Unauthenticated Genericons Cross-Site Scripting (XSS)","created_at":"2015-05-11T09:36:36.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":"2015-05-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.2.2"]},"fixed_in":"4.2.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"4.2.4"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"4.2.4"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"4.2.4"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"4.2.4"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"4.2.4"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.2.5"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.2.5"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.2.5"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.2.6"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.2.7"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.2.7"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.2.8"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.2.9"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.2.9"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.2.9"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.2.10"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.2.10"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.2.16"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.2.17"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.2.18"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.2.18"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.2.18"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.9.2"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.2.20"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.2.20"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.2.20"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"3.9.3":{"release_date":"2014-11-20","changelog_url":"https://codex.wordpress.org/Version_3.9.3","status":"insecure","vulnerabilities":[{"id":7945,"title":"WordPress \u003c= 4.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-27T06:51:01.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-04-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress2.html","http://packetstormsecurity.com/files/131644/"],"exploitdb":["36844"]},"fixed_in":"4.2.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.9.7"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.9.8"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.9.8"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.9.8"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.9.8"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.9.8"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.9.9"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.9.9"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.9.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.9.10"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.9.20"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"4.1.2":{"release_date":"2015-04-21","changelog_url":"https://codex.wordpress.org/Version_4.1.2","status":"insecure","vulnerabilities":[{"id":7945,"title":"WordPress \u003c= 4.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-27T06:51:01.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-04-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["http://klikki.fi/adv/wordpress2.html","http://packetstormsecurity.com/files/131644/"],"exploitdb":["36844"]},"fixed_in":"4.2.1"},{"id":7979,"title":"WordPress 4.1-4.2.1 - Unauthenticated Genericons Cross-Site Scripting (XSS)","created_at":"2015-05-11T09:36:36.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":"2015-05-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.2.2"]},"fixed_in":"4.1.5"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.1.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"4.1.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"4.1.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"4.1.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"4.1.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"4.1.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.1.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.4.1.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.1.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.1.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.1.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.1.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.1.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.2.1":{"release_date":"2015-04-27","changelog_url":"https://codex.wordpress.org/Version_4.2.1","status":"insecure","vulnerabilities":[{"id":7979,"title":"WordPress 4.1-4.2.1 - Unauthenticated Genericons Cross-Site Scripting (XSS)","created_at":"2015-05-11T09:36:36.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":"2015-05-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.2.2"]},"fixed_in":"4.2.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"4.2.4"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"4.2.4"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"4.2.4"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"4.2.4"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"4.2.4"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.2.5"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.2.5"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.2.5"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.2.6"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.2.7"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.2.7"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.2.8"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.2.9"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.2.9"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.2.9"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.2.10"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.2.10"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.2.16"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.2.17"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.2.18"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.2.18"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.2.18"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.9.2"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.2.20"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.2.20"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.2.20"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"4.0.1":{"release_date":"2014-11-20","changelog_url":"https://codex.wordpress.org/Version_4.0.1","status":"insecure","vulnerabilities":[{"id":7933,"title":"WordPress 3.9-4.1.1 - Same-Origin Method Execution","created_at":"2015-04-22T17:06:43.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-04-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","http://zoczus.blogspot.fr/2015/04/plupload-same-origin-method-execution.html"],"cve":["2015-3439"]},"fixed_in":"4.1.2"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2015-04-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.0.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"4.0.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"4.0.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"4.0.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"4.0.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"4.0.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.0.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.0.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.0.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.0.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.0.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.0.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.0.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"4.1.5":{"release_date":"2015-05-07","changelog_url":"https://codex.wordpress.org/Version_4.1.5","status":"insecure","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.1.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"4.1.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"4.1.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"4.1.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"4.1.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"4.1.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.1.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.1.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.1.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.1.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.1.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.1.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.1.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.1.4":{"release_date":"2015-04-27","changelog_url":"https://codex.wordpress.org/Version_4.1.4","status":"insecure","vulnerabilities":[{"id":7979,"title":"WordPress 4.1-4.2.1 - Unauthenticated Genericons Cross-Site Scripting (XSS)","created_at":"2015-05-11T09:36:36.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":"2015-05-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.2.2"]},"fixed_in":"4.1.5"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.1.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"4.1.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"4.1.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"4.1.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"4.1.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"4.1.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.1.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.1.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.1.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.1.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.1.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.1.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.1.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.1.3":{"release_date":"2015-04-23","changelog_url":"https://codex.wordpress.org/Version_4.1.3","status":"insecure","vulnerabilities":[{"id":7979,"title":"WordPress 4.1-4.2.1 - Unauthenticated Genericons Cross-Site Scripting (XSS)","created_at":"2015-05-11T09:36:36.000Z","updated_at":"2018-08-29T19:12:57.000Z","published_date":"2015-05-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.2.2"]},"fixed_in":"4.1.5"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.1.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"4.1.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"4.1.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"4.1.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"4.1.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"4.1.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.1.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.1.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.1.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.1.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.1.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.1.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.1.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"3.8.4":{"release_date":"2014-08-06","changelog_url":"https://codex.wordpress.org/Version_3.8.4","status":"insecure","vulnerabilities":[{"id":7691,"title":"WordPress \u003c= 4.0 - CSRF in wp-login.php Password Reset","created_at":"2014-11-25T22:57:27.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/30418"],"cve":["2014-9033"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.8.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.8.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.8.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.8.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.8.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.8.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.7.4":{"release_date":"2014-08-06","changelog_url":"https://codex.wordpress.org/Version_3.7.4","status":"insecure","vulnerabilities":[{"id":7691,"title":"WordPress \u003c= 4.0 - CSRF in wp-login.php Password Reset","created_at":"2014-11-25T22:57:27.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":null,"vuln_type":"CSRF","references":{"url":["https://core.trac.wordpress.org/changeset/30418"],"cve":["2014-9033"]},"fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.7.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.7.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.7.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.7.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"4.2.3":{"release_date":"2015-07-23","changelog_url":"https://codex.wordpress.org/Version_4.2.3","status":"insecure","vulnerabilities":[{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"4.2.4"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"4.2.4"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"4.2.4"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"4.2.4"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"4.2.4"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.2.5"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.2.5"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.2.5"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.2.6"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.2.7"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.2.7"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.2.8"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.2.9"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.2.9"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.2.9"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.2.10"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.2.10"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.2.16"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.2.17"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.2.18"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.2.18"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.2.18"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.9.2"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.2.20"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.2.20"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.2.20"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"3.8.8":{"release_date":"2015-05-07","changelog_url":"https://codex.wordpress.org/Version_3.8.8","status":"insecure","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.8.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.8.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.8.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.8.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.8.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.8.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.8.5":{"release_date":"2014-11-20","changelog_url":"https://codex.wordpress.org/Version_3.8.5","status":"insecure","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.8.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.8.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.8.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.8.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.8.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.8.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.8.6":{"release_date":"2015-04-21","changelog_url":"https://codex.wordpress.org/Version_3.8.6","status":"insecure","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.8.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.8.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.8.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.8.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.8.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.8.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.8.7":{"release_date":"2015-04-23","changelog_url":"https://codex.wordpress.org/Version_3.8.7","status":"insecure","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.8.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.8.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.8.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.8.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.8.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.8.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"0.71":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_0.71","status":"unknown","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"0.711":{"release_date":"2003-06-25","changelog_url":"https://codex.wordpress.org/Version_0.711","status":"unknown","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"0.72":{"release_date":"2003-10-11","changelog_url":"https://codex.wordpress.org/Version_0.72","status":"unknown","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"1.0":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_1.0","status":"unknown","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"1.0.1":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_1.0.1","status":"unknown","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"1.0.2":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_1.0.2","status":"insecure","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"1.2.2":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_1.2.2","status":"insecure","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":null}]},"3.7.2":{"release_date":"2014-04-08","changelog_url":"https://codex.wordpress.org/Version_3.7.2","status":"insecure","vulnerabilities":[{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.7.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.7.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.7.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.7.3":{"release_date":"2014-04-14","changelog_url":"https://codex.wordpress.org/Version_3.7.3","status":"insecure","vulnerabilities":[{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.7.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.7.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.7.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.7.5":{"release_date":"2014-11-20","changelog_url":"https://codex.wordpress.org/Version_3.7.5","status":"insecure","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.7.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.7.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.7.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.7.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.7.6":{"release_date":"2015-04-21","changelog_url":"https://codex.wordpress.org/Version_3.7.6","status":"insecure","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.7.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.7.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.7.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.7.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.7.7":{"release_date":"2015-04-23","changelog_url":"https://codex.wordpress.org/Version_3.7.7","status":"insecure","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.7.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.7.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.7.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.7.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.7.8":{"release_date":"2015-05-07","changelog_url":"https://codex.wordpress.org/Version_3.7.8","status":"insecure","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.7.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.7.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.7.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.7.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.7.9":{"release_date":"2015-07-23","changelog_url":"https://codex.wordpress.org/Version_3.7.9","status":"insecure","vulnerabilities":[{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.7.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.7.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.7.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.8.9":{"release_date":"2015-07-23","changelog_url":"https://codex.wordpress.org/Version_3.8.9","status":"insecure","vulnerabilities":[{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.8.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.8.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.8.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.8.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.8.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.9.4":{"release_date":"2015-04-21","changelog_url":"https://codex.wordpress.org/Version_3.9.4","status":"insecure","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.9.7"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.9.8"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.9.8"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.9.8"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.9.8"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.9.8"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.9.9"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.9.9"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.9.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.9.10"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.9.20"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"3.9.5":{"release_date":"2015-04-23","changelog_url":"https://codex.wordpress.org/index.php?title=Version_3.9.5\u0026action=edit\u0026redlink=1","status":"insecure","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.9.7"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.9.8"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.9.8"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.9.8"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.9.8"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.9.8"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.9.9"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.9.9"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.9.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.9.10"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.9.20"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"3.9.6":{"release_date":"2015-05-07","changelog_url":"https://codex.wordpress.org/Version_3.9.6","status":"insecure","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"3.9.7"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.9.8"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.9.8"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.9.8"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.9.8"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.9.8"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.9.9"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.9.9"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.9.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.9.10"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.9.20"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"3.9.7":{"release_date":"2015-07-23","changelog_url":"https://codex.wordpress.org/Version_3.9.7","status":"insecure","vulnerabilities":[{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"3.9.8"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"3.9.8"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"3.9.8"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.9.8"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.9.8"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.9.9"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.9.9"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.9.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.9.10"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.9.20"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"4.0.2":{"release_date":"2015-04-21","changelog_url":"https://codex.wordpress.org/Version_4.0.2","status":"insecure","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.0.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"4.0.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"4.0.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"4.0.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"4.0.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"4.0.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.0.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.0.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.0.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.0.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.0.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.0.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.0.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"4.0.3":{"release_date":"2015-04-23","changelog_url":"https://codex.wordpress.org/Version_4.0.3","status":"insecure","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.0.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"4.0.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"4.0.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"4.0.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"4.0.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"4.0.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.0.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.0.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.0.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.0.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.0.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.0.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.0.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"4.0.4":{"release_date":"2015-04-27","changelog_url":"https://codex.wordpress.org/Version_4.0.4","status":"insecure","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.0.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"4.0.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"4.0.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"4.0.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"4.0.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"4.0.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.0.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.0.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.0.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.0.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.0.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.0.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.0.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"4.0.5":{"release_date":"2015-05-06","changelog_url":"https://codex.wordpress.org/Version_4.0.5","status":"insecure","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.0.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"4.0.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"4.0.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"4.0.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"4.0.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"4.0.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.0.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.0.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.0.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.0.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.0.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.0.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.0.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"4.0.6":{"release_date":"2015-07-23","changelog_url":"https://codex.wordpress.org/Version_4.0.6","status":"insecure","vulnerabilities":[{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"4.0.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"4.0.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"4.0.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"4.0.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"4.0.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.0.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.0.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.0.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.0.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.0.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.0.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.0.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"4.1.6":{"release_date":"2015-07-23","changelog_url":"https://codex.wordpress.org/Version_4.1.6","status":"insecure","vulnerabilities":[{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"4.1.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"4.1.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"4.1.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"4.1.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"4.1.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.1.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.1.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.1.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.1.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.1.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.1.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.1.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.2.2":{"release_date":"2015-05-07","changelog_url":"https://codex.wordpress.org/Version_4.2.2","status":"insecure","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-07-23T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"fixed_in":"4.2.3"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2015-08-04T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"fixed_in":"4.2.4"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2018-08-29T19:13:20.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"fixed_in":"4.2.4"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"fixed_in":"4.2.4"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"4.2.4"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"4.2.4"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.2.5"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.2.5"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.2.5"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.2.6"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.2.7"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.2.7"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.2.8"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.2.9"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.2.9"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.2.9"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.2.10"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.2.10"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.2.16"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.2.17"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.2.18"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.2.18"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.2.18"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.2.19"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.2.20"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.2.20"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.2.20"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"4.2.4":{"release_date":"2015-08-04","changelog_url":"https://codex.wordpress.org/Version_4.2.4","status":"insecure","vulnerabilities":[{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.2.5"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.2.5"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.2.5"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.2.6"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.2.7"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.2.7"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.2.8"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.2.9"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.2.9"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.2.9"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.2.10"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.2.10"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.2.16"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.2.17"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.2.18"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.2.18"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.2.18"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.2.19"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.2.20"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.2.20"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.2.20"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"4.1.7":{"release_date":"2015-08-04","changelog_url":"https://codex.wordpress.org/Version_4.1.7","status":"insecure","vulnerabilities":[{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.1.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.1.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.1.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.1.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.1.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.1.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.1.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.0.7":{"release_date":"2015-08-04","changelog_url":"https://codex.wordpress.org/Version_4.0.7","status":"insecure","vulnerabilities":[{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.0.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.0.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.0.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.0.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.0.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.0.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.0.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"3.9.8":{"release_date":"2015-08-04","changelog_url":"https://codex.wordpress.org/Version_3.9.8","status":"insecure","vulnerabilities":[{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.9.9"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.9.9"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.9.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.9.10"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.9.20"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"3.8.10":{"release_date":"2015-08-04","changelog_url":"https://codex.wordpress.org/Version_3.8.10","status":"insecure","vulnerabilities":[{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.7.10":{"release_date":"2015-08-04","changelog_url":"https://codex.wordpress.org/Version_3.7.10","status":"insecure","vulnerabilities":[{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2015-08-05T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"4.3":{"release_date":"2015-08-18","changelog_url":"https://codex.wordpress.org/Version_4.3","status":"insecure","vulnerabilities":[{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"fixed_in":"4.3.1"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"fixed_in":"4.3.1"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2015-09-15T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"fixed_in":"4.3.1"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.3.2"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.3.3"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.3.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.3.4"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.3.5"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.3.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.3.5"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.3.6"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.3.6"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.3.7"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.3.7"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.3.7"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.3.7"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.3.7"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.3.7"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.3.8"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.3.8"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.3.8"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.3.9"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.3.9"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.3.9"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.3.9"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.3.12"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.3.13"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.3.14"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.3.14"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.3.14"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.3.14"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.3.15"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.3.16"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.3.16"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.3.16"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.3.17"}]},"4.3.1":{"release_date":"2015-09-15","changelog_url":"https://codex.wordpress.org/Version_4.3.1","status":"insecure","vulnerabilities":[{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.3.2"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.3.2"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.3.3"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.3.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.3.4"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.3.5"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.3.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.3.5"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.3.6"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.3.6"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.3.7"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.3.7"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.3.7"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.3.7"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.3.7"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.3.7"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.3.8"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.3.8"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.3.8"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.3.9"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.3.9"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.3.9"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.3.9"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.3.12"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.3.13"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.3.14"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.3.14"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.3.14"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.3.14"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.3.15"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.3.16"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.3.16"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.3.16"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.3.17"}]},"4.2.5":{"release_date":"2015-09-15","changelog_url":"https://codex.wordpress.org/Version_4.2.5","status":"insecure","vulnerabilities":[{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.2.6"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.2.6"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.2.7"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.2.7"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.2.8"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.2.9"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.2.9"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.2.9"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.2.10"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.2.10"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.2.16"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.2.17"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.2.18"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.2.18"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.2.18"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.2.19"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.2.20"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.2.20"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.2.20"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"4.1.8":{"release_date":"2015-09-15","changelog_url":"https://codex.wordpress.org/Version_4.1.8","status":"insecure","vulnerabilities":[{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.1.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.1.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.1.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.1.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.1.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.0.8":{"release_date":"2015-09-15","changelog_url":"https://codex.wordpress.org/Version_4.0.8","status":"insecure","vulnerabilities":[{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.0.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.0.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.0.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.0.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.0.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"3.9.9":{"release_date":"2015-09-15","changelog_url":"https://codex.wordpress.org/Version_3.9.9","status":"insecure","vulnerabilities":[{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.9.10"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.9.10"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.9.20"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"3.8.11":{"release_date":"2015-09-15","changelog_url":"https://codex.wordpress.org/Version_3.8.11","status":"insecure","vulnerabilities":[{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.7.11":{"release_date":"2015-09-15","changelog_url":"https://codex.wordpress.org/Version_3.7.11","status":"insecure","vulnerabilities":[{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"4.4":{"release_date":"2015-12-08","changelog_url":"https://codex.wordpress.org/Version_4.4","status":"insecure","vulnerabilities":[{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2016-01-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"fixed_in":"4.4.1"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.4.2"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.4.2"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.4.3"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.4.4"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.4.4"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.4.4"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.4.5"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.4.5"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.4.6"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.4.6"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.4.6"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.4.6"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.4.6"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.4.6"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.4.7"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.4.7"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.4.7"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.4.8"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.4.8"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.4.8"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.4.8"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.4.10"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.4.10"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.4.10"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.4.10"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.4.10"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.4.10"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.4.11"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.4.12"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.4.13"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.4.13"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.4.13"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.4.13"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.4.14"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.4.15"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.4.15"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.4.15"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.4.16"}]},"3.7.12":{"release_date":"2016-01-06","changelog_url":"https://codex.wordpress.org/Version_3.7.12","status":"insecure","vulnerabilities":[{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.8.12":{"release_date":"2016-01-06","changelog_url":"https://codex.wordpress.org/Version_3.8.12","status":"insecure","vulnerabilities":[{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.9.10":{"release_date":"2016-01-06","changelog_url":"https://codex.wordpress.org/Version_3.9.10","status":"insecure","vulnerabilities":[{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.9.20"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"4.0.9":{"release_date":"2016-01-06","changelog_url":"https://codex.wordpress.org/Version_4.0.9","status":"insecure","vulnerabilities":[{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.0.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.0.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.0.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"4.1.9":{"release_date":"2016-01-06","changelog_url":"https://codex.wordpress.org/Version_4.1.9","status":"insecure","vulnerabilities":[{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.1.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.1.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.1.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.2.6":{"release_date":"2016-01-06","changelog_url":"https://codex.wordpress.org/Version_4.2.6","status":"insecure","vulnerabilities":[{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.2.7"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.2.7"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.2.8"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.2.9"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.2.9"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.2.9"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.2.10"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.2.10"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.2.16"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.2.17"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.2.18"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.2.18"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.2.18"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.2.19"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.2.20"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.2.20"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.2.20"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"4.3.2":{"release_date":"2016-01-06","changelog_url":"https://codex.wordpress.org/Version_4.3.2","status":"insecure","vulnerabilities":[{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.3.3"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.3.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.3.4"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.3.5"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.3.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.3.5"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.3.6"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.3.6"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.3.7"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.3.7"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.3.7"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.3.7"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.3.7"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.3.7"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.3.8"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.3.8"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.3.8"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.3.9"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.3.9"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.3.9"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.3.9"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.3.12"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.3.13"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.3.14"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.3.14"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.3.14"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.3.14"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.3.15"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.3.16"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.3.16"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.3.16"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.3.17"}]},"4.4.1":{"release_date":"2016-01-06","changelog_url":"https://codex.wordpress.org/Version_4.4.1","status":"insecure","vulnerabilities":[{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"fixed_in":"4.4.2"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2016-02-02T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"fixed_in":"4.4.2"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.4.3"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.4.4"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.4.4"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.4.4"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.4.5"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.4.5"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.4.6"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.4.6"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.4.6"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.4.6"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.4.6"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.4.6"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.4.7"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.4.7"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.4.7"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.4.8"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.4.8"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.4.8"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.4.8"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.4.10"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.4.10"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.4.10"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.4.10"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.4.10"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.4.10"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.4.11"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.4.12"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.4.13"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.4.13"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.4.13"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.4.13"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.4.14"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.4.15"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.4.15"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.4.15"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.4.16"}]},"4.4.2":{"release_date":"2016-02-02","changelog_url":"https://codex.wordpress.org/Version_4.4.2","status":"insecure","vulnerabilities":[{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.4.3"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.4.4"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.4.4"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.4.4"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.4.5"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.4.5"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.4.6"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.4.6"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.4.6"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.4.6"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.4.6"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.4.6"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.4.7"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.4.7"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.4.7"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.4.8"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.4.8"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.4.8"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.4.8"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.4.10"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.4.10"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.4.10"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.4.10"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.4.10"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.4.10"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.4.11"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.4.12"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.4.13"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.4.13"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.4.13"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.4.13"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.4.14"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.4.15"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.4.15"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.4.15"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.4.16"}]},"4.3.3":{"release_date":"2016-02-02","changelog_url":"https://codex.wordpress.org/Version_4.3.3","status":"insecure","vulnerabilities":[{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.3.4"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.3.5"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.3.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.3.5"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.3.6"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.3.6"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.3.7"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.3.7"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.3.7"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.3.7"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.3.7"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.3.7"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.3.8"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.3.8"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.3.8"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.3.9"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.3.9"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.3.9"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.3.9"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.3.12"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.3.13"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.3.14"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.3.14"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.3.14"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.3.14"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.3.15"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.3.16"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.3.16"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.3.16"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.3.17"}]},"4.2.7":{"release_date":"2016-02-02","changelog_url":"https://codex.wordpress.org/Version_4.2.7","status":"insecure","vulnerabilities":[{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.2.8"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.2.9"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.2.9"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.2.9"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.2.10"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.2.10"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.2.16"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.2.17"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.2.18"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.2.18"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.2.18"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.2.19"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.2.20"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.2.20"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.2.20"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"4.1.10":{"release_date":"2016-02-02","changelog_url":"https://codex.wordpress.org/Version_4.1.10","status":"insecure","vulnerabilities":[{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.1.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.1.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.0.10":{"release_date":"2016-02-02","changelog_url":"https://codex.wordpress.org/Version_4.0.10","status":"insecure","vulnerabilities":[{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.0.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.0.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"3.9.11":{"release_date":"2016-02-02","changelog_url":"https://codex.wordpress.org/Version_3.9.11","status":"insecure","vulnerabilities":[{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.9.20"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"3.8.13":{"release_date":"2016-02-02","changelog_url":"https://codex.wordpress.org/Version_3.8.13","status":"insecure","vulnerabilities":[{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.7.13":{"release_date":"2016-02-02","changelog_url":"https://codex.wordpress.org/Version_3.7.13","status":"insecure","vulnerabilities":[{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"SSRF","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2018-08-29T19:13:15.000Z","published_date":"2016-04-12T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"4.5":{"release_date":"2016-04-12","changelog_url":"https://codex.wordpress.org/Version_4.5","status":"insecure","vulnerabilities":[{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.5.2"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.5.3"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.5.3"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.5.4"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.5.4"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.7.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.5.5"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.5.5"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.5.5"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.5.5"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.5.5"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.5.6"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.5.6"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.5.6"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.5.7"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.5.7"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.5.7"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.5.7"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.5.9"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.5.9"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.5.9"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.5.9"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.5.9"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.5.9"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.5.10"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.5.10"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.5.10"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.5.10"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.5.10"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.5.11"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.5.12"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.5.12"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.5.12"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.5.12"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.5.13"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.5.14"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.5.14"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.5.14"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.5.15"}]},"4.5.1":{"release_date":"2016-04-26","changelog_url":"https://codex.wordpress.org/Version_4.5.1","status":"insecure","vulnerabilities":[{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2018-09-03T12:46:55.000Z","published_date":"2016-05-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e"],"cve":["2016-4566"]},"fixed_in":"4.5.2"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.5.3"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.5.3"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.5.4"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.5.4"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.5.5"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.5.5"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.5.5"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.5.5"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.5.5"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.5.5"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.5.6"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.5.6"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.5.6"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.5.7"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.5.7"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.5.7"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.5.7"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.5.9"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.5.9"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.5.9"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.5.9"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.5.9"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.5.9"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.5.10"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.5.10"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.5.10"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.5.10"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.5.10"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.5.11"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.5.12"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.5.12"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.5.12"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.5.12"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.5.13"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.5.14"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.5.14"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.5.14"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.5.15"}]},"3.7.14":{"release_date":"2016-05-06","changelog_url":"https://codex.wordpress.org/Version_3.7.14","status":"insecure","vulnerabilities":[{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.8.14":{"release_date":"2016-05-06","changelog_url":"https://codex.wordpress.org/Version_3.8.14","status":"insecure","vulnerabilities":[{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.9.12":{"release_date":"2016-05-06","changelog_url":"https://codex.wordpress.org/Version_3.9.12","status":"insecure","vulnerabilities":[{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.9.20"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"4.0.11":{"release_date":"2016-05-06","changelog_url":"https://codex.wordpress.org/Version_4.0.11","status":"insecure","vulnerabilities":[{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.0.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.0.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"4.1.11":{"release_date":"2016-05-06","changelog_url":"https://codex.wordpress.org/Version_4.1.11","status":"insecure","vulnerabilities":[{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.1.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.1.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.2.8":{"release_date":"2016-05-06","changelog_url":"https://codex.wordpress.org/Version_4.2.8","status":"insecure","vulnerabilities":[{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.2.9"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.2.9"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.2.9"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.2.10"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.2.10"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.2.16"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.2.17"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.2.18"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.2.18"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.2.18"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.2.19"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.2.20"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.2.20"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.2.20"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"4.3.4":{"release_date":"2016-05-06","changelog_url":"https://codex.wordpress.org/Version_4.3.4","status":"insecure","vulnerabilities":[{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.3.5"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.3.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.3.5"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.3.6"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.3.6"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.3.7"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.3.7"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.3.7"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.3.7"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.3.7"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.3.7"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.3.8"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.3.8"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.3.8"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.3.9"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.3.9"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.3.9"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.3.9"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.3.12"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.3.13"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.3.14"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.3.14"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.3.14"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.3.14"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.3.15"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.3.16"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.3.16"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.3.16"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.3.17"}]},"4.4.3":{"release_date":"2016-05-06","changelog_url":"https://codex.wordpress.org/Version_4.4.3","status":"insecure","vulnerabilities":[{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.4.4"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.4.4"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.4.4"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.4.5"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.4.5"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.4.6"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.4.6"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.4.6"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.4.6"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.4.6"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.4.6"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.4.7"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.4.7"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.4.7"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.4.8"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.4.8"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.4.8"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.4.8"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.4.10"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.4.10"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.4.10"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.4.10"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.4.10"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.4.10"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.4.11"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.4.12"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.4.13"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.4.13"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.4.13"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.4.13"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.4.14"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.4.15"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.4.15"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.4.15"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.4.16"}]},"4.5.2":{"release_date":"2016-05-06","changelog_url":"https://codex.wordpress.org/Version_4.5.2","status":"insecure","vulnerabilities":[{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"fixed_in":"4.5.3"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"fixed_in":"4.5.3"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"fixed_in":"4.5.3"},{"id":8522,"title":"WordPress 4.5.2 - Redirect Bypass","created_at":"2016-06-22T18:43:41.000Z","updated_at":"2018-08-29T19:13:06.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/"],"cve":["2016-5832"]},"fixed_in":"4.5.3"},{"id":8523,"title":"WordPress 4.5.2 - oEmbed Denial of Service (DoS)","created_at":"2016-06-22T18:44:38.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/"],"cve":["2016-5836"]},"fixed_in":"4.5.3"},{"id":8524,"title":"WordPress 4.5.2 - Password Change via Stolen Cookie","created_at":"2016-06-22T18:45:24.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2016-06-21T00:00:00.000Z","vuln_type":"AUTHBYPASS","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/"],"cve":["2016-5838"]},"fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.5.4"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.5.4"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.5.5"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.5.5"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.5.5"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.5.5"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.5.5"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.5.5"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.5.6"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.5.6"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.5.6"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.5.7"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.5.7"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.5.7"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.5.7"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.5.9"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.5.9"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.5.9"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.5.9"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.5.9"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.5.9"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.5.10"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.5.10"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.5.10"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.5.10"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.5.10"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.5.11"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.5.12"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.5.12"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.5.12"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.5.12"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.5.13"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.5.14"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.5.14"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.5.14"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.5.15"}]},"4.5.3":{"release_date":"2016-06-21","changelog_url":"https://codex.wordpress.org/Version_4.5.3","status":"insecure","vulnerabilities":[{"id":8606,"title":"WordPress 4.5.3 - Authenticated Denial of Service (DoS)","created_at":"2016-08-20T15:37:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-08-20T00:00:00.000Z","vuln_type":"DOS","references":{"url":["http://seclists.org/fulldisclosure/2016/Aug/98","https://sumofpwn.nl/advisory/2016/path_traversal_vulnerability_in_wordpress_core_ajax_handlers.html","https://core.trac.wordpress.org/ticket/37490"],"cve":["2016-6896","2016-6897"]},"fixed_in":"4.6"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.5.4"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.5.4"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.5.5"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.5.5"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.5.5"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.5.5"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.5.5"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.5.5"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.5.6"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.5.6"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.5.6"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.5.7"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.5.7"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.5.7"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.5.7"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.5.9"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.5.9"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.5.9"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.5.9"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.5.9"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.5.9"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.5.10"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.5.10"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.5.10"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.5.10"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.5.10"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.5.11"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.5.12"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.5.12"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.5.12"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.5.12"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.5.13"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.5.14"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.5.14"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.5.14"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.5.15"}]},"3.7.15":{"release_date":"2016-06-21","changelog_url":"https://codex.wordpress.org/Version_3.7.15","status":"insecure","vulnerabilities":[{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.8.15":{"release_date":"2016-06-21","changelog_url":"https://codex.wordpress.org/Version_3.8.15","status":"insecure","vulnerabilities":[{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.9.13":{"release_date":"2016-06-21","changelog_url":"https://codex.wordpress.org/Version_3.9.13","status":"insecure","vulnerabilities":[{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.9.20"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"4.0.12":{"release_date":"2016-06-21","changelog_url":"https://codex.wordpress.org/Version_4.0.12","status":"insecure","vulnerabilities":[{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.0.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.0.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"4.1.12":{"release_date":"2016-06-21","changelog_url":"https://codex.wordpress.org/Version_4.1.12","status":"insecure","vulnerabilities":[{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.1.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.1.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.2.9":{"release_date":"2016-06-21","changelog_url":"https://codex.wordpress.org/Version_4.2.9","status":"insecure","vulnerabilities":[{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.2.10"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.2.10"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.2.16"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.2.17"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.2.18"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.2.18"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.2.18"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.2.19"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.2.20"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.2.20"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.2.20"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"4.3.5":{"release_date":"2016-06-21","changelog_url":"https://codex.wordpress.org/Version_4.3.5","status":"insecure","vulnerabilities":[{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.3.6"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.3.6"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.3.7"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.3.7"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.3.7"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.3.7"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.3.7"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.3.7"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.3.8"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.3.8"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.3.8"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.3.9"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.3.9"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.3.9"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.3.9"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.3.12"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.3.13"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.3.14"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.3.14"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.3.14"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.3.14"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.3.15"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.3.16"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.3.16"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.3.16"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.3.17"}]},"4.4.4":{"release_date":"2016-06-21","changelog_url":"https://codex.wordpress.org/Version_4.4.4","status":"insecure","vulnerabilities":[{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.4.5"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.4.5"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.4.6"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.4.6"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.4.6"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.4.6"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.4.6"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.4.6"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.4.7"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.4.7"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.4.7"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.4.8"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.4.8"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.4.8"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.4.8"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.4.10"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.4.10"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.4.10"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.4.10"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.4.10"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.4.10"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.4.11"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.4.12"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.4.13"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.4.13"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.4.13"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.4.13"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.4.14"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.4.15"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.4.15"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.4.15"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.4.16"}]},"4.6":{"release_date":"2016-08-16","changelog_url":"https://codex.wordpress.org/Version_4.6","status":"insecure","vulnerabilities":[{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2018-08-29T19:13:05.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2018-08-29T19:13:14.000Z","published_date":"2016-09-07T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"fixed_in":"4.6.1"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.7.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.6.2"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.6.2"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.6.2"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.6.2"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.6.2"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.6.3"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.6.3"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.6.3"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.6.4"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.6.4"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.6.4"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.6.4"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.6.6"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.6.6"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.6.6"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.6.6"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.6.6"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.6.6"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.6.7"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.6.7"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.6.7"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.6.7"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.6.8"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.6.9"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.6.9"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.6.9"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.6.9"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.6.10"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.6.11"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.6.11"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.6.11"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.6.12"}]},"3.7.16":{"release_date":"2016-09-07","changelog_url":"https://codex.wordpress.org/Version_3.7.16","status":"insecure","vulnerabilities":[{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.8.16":{"release_date":"2016-09-07","changelog_url":"https://codex.wordpress.org/Version_3.8.16","status":"insecure","vulnerabilities":[{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.9.14":{"release_date":"2016-09-07","changelog_url":"https://codex.wordpress.org/Version_3.9.14","status":"insecure","vulnerabilities":[{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.9.20"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"4.0.13":{"release_date":"2016-09-07","changelog_url":"https://codex.wordpress.org/Version_4.0.13","status":"insecure","vulnerabilities":[{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.0.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.0.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"4.1.13":{"release_date":"2016-09-07","changelog_url":"https://codex.wordpress.org/Version_4.1.13","status":"insecure","vulnerabilities":[{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.1.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.1.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.2.10":{"release_date":"2016-09-07","changelog_url":"https://codex.wordpress.org/Version_4.2.10","status":"insecure","vulnerabilities":[{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.2.16"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.2.17"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.2.18"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.2.18"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.2.18"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.2.19"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.2.20"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.2.20"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.2.20"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"4.3.6":{"release_date":"2016-09-07","changelog_url":"https://codex.wordpress.org/Version_4.3.6","status":"insecure","vulnerabilities":[{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.3.7"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.3.7"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.3.7"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.3.7"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.3.7"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.3.7"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.3.8"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.3.8"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.3.8"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.3.9"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.3.9"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.3.9"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.3.9"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.3.12"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.3.13"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.3.14"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.3.14"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.3.14"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.3.14"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.3.15"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.3.16"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.3.16"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.3.16"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.3.17"}]},"4.4.5":{"release_date":"2016-09-07","changelog_url":"https://codex.wordpress.org/Version_4.4.5","status":"insecure","vulnerabilities":[{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.4.6"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.4.6"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.4.6"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.4.6"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.4.6"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.4.6"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.4.7"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.4.7"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.4.7"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.4.8"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.4.8"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.4.8"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.4.8"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.4.10"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.4.10"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.4.10"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.4.10"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.4.10"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.4.10"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.4.11"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.4.12"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.4.13"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.4.13"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.4.13"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.4.13"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.4.14"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.4.15"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.4.15"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.4.15"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.4.16"}]},"4.5.4":{"release_date":"2016-09-07","changelog_url":"https://codex.wordpress.org/Version_4.5.4","status":"insecure","vulnerabilities":[{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.5.5"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.5.5"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.5.5"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.5.5"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.5.5"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.5.5"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.5.6"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.5.6"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.5.6"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.5.7"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.5.7"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.5.7"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.5.7"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.5.9"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.5.9"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.5.9"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.5.9"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.5.9"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.5.9"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.5.10"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.5.10"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.5.10"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.5.10"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.5.10"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.5.11"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.5.12"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.5.12"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.5.12"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.5.12"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.5.13"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.5.14"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.5.14"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.5.14"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.5.15"}]},"4.6.1":{"release_date":"2016-09-07","changelog_url":"https://codex.wordpress.org/Version_4.6.1","status":"insecure","vulnerabilities":[{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.6.2"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.6.2"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.6.2"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.6.2"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.6.2"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.6.2"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.6.3"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.6.3"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.6.3"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.6.4"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.6.4"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.6.4"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.6.4"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.6.6"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.6.6"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.6.6"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.6.6"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.6.6"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.6.6"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.6.7"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.6.7"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.6.7"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.6.7"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.6.7"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.6.8"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.6.9"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.6.9"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.6.9"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.6.9"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.6.10"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.6.11"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.6.11"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.6.11"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.6.12"}]},"4.7":{"release_date":"2016-12-06","changelog_url":"https://codex.wordpress.org/Version_4.7","status":"insecure","vulnerabilities":[{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.7.1"},{"id":8715,"title":"WordPress 4.7 - User Information Disclosure via REST API","created_at":"2017-01-12T08:45:07.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://www.wordfence.com/blog/2016/12/wordfence-blocks-username-harvesting-via-new-rest-api-wp-4-7/","https://github.com/WordPress/WordPress/commit/daf358983cc1ce0c77bf6d2de2ebbb43df2add60","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5487"]},"fixed_in":"4.7.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"4.7.1"},{"id":8717,"title":"WordPress \u003c= 4.7 - Cross-Site Request Forgery (CSRF) via Flash Upload","created_at":"2017-01-12T09:02:41.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://ahussam.me/Leaking-WordPress-CSRF-Tokens/","https://youtu.be/p0x3Q7y4U_Q","https://hackerone.com/reports/149589"],"cve":["2017-5489"]},"fixed_in":"4.7.1"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2018-08-29T19:13:00.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"fixed_in":"4.7.1"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.7.2"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.7.2"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.7.2"},{"id":8734,"title":"WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API","created_at":"2017-02-01T16:15:01.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-02-01T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html","https://blogs.akamai.com/2017/02/wordpress-web-api-vulnerability.html","https://gist.github.com/leonjza/2244eb15510a0687ed93160c623762ab","https://github.com/WordPress/WordPress/commit/e357195ce303017d517aff944644a7a1232926f7"],"metasploit":["auxiliary/scanner/http/wordpress_content_injection"]},"fixed_in":"4.7.2"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.7.3"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8767,"title":"WordPress 4.7.0-4.7.2 - Authenticated Unintended File Deletion in Plugin Delete","created_at":"2017-03-07T08:54:07.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663"],"cve":["2017-6816"]},"fixed_in":"4.7.3"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.7.3"},{"id":8769,"title":"WordPress 4.7-4.7.2 - Cross-Site Scripting (XSS) via Taxonomy Term Names","created_at":"2017-03-07T09:30:32.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/9092fd01e1f452f37c313d38b18f9fe6907541f9"],"cve":["2017-6818"]},"fixed_in":"4.7.3"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.7.6"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.7.6"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.7.6"},{"id":8912,"title":"WordPress 4.4-4.8.1 - Path Traversal in Customizer ","created_at":"2017-09-25T10:08:18.000Z","updated_at":"2018-08-29T20:00:17.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41397"],"cve":["2017-14722"]},"fixed_in":"4.7.6"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.7.6"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.7.6"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.7.7"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.7.8"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.7.8"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.7.8"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.7.8"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.7.9"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.7.10"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.7.10"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.7.10"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.7.11"}]},"3.7.17":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_3.7.17","status":"insecure","vulnerabilities":[{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.8.17":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_3.8.17","status":"insecure","vulnerabilities":[{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.9.15":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_3.9.15","status":"insecure","vulnerabilities":[{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.9.20"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"4.0.14":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_4.0.14","status":"insecure","vulnerabilities":[{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.0.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.0.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"4.1.14":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_4.1.14","status":"insecure","vulnerabilities":[{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.1.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.1.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.2.11":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_4.2.11","status":"insecure","vulnerabilities":[{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.2.16"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.2.17"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.2.18"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.2.18"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.2.18"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.2.19"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.2.20"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.2.20"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.2.20"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"4.3.7":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_4.3.7","status":"insecure","vulnerabilities":[{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.3.7"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.3.8"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.3.8"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.3.8"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.3.9"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.3.9"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.3.9"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.3.9"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.3.12"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.3.13"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.3.14"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.3.14"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.3.14"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.3.14"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.3.15"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.3.16"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.3.16"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.3.16"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.3.17"}]},"4.4.6":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_4.4.6","status":"insecure","vulnerabilities":[{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.4.6"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.4.7"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.4.7"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.4.7"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.4.8"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.4.8"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.4.8"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.4.8"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.4.10"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.4.10"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.4.10"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.4.10"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.4.10"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.4.10"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.4.11"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.4.12"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.4.13"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.4.13"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.4.13"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.4.13"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.4.14"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.4.15"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.4.15"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.4.15"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.4.16"}]},"4.5.5":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_4.5.5","status":"insecure","vulnerabilities":[{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-01-11T00:00:00.000Z","vuln_type":"RCE","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"fixed_in":"4.5.5"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.5.6"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.5.6"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.5.6"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.5.7"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.5.7"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.5.7"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.5.7"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.5.9"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.5.9"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.5.9"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.5.9"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.5.9"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.5.9"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.5.10"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.5.10"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.5.10"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.5.10"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.5.10"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.5.11"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.5.12"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.5.12"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.5.12"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.5.12"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.5.13"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.5.14"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.5.14"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.5.14"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.5.15"}]},"4.7.1":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_4.7.1","status":"insecure","vulnerabilities":[{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.7.2"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.7.2"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.7.2"},{"id":8734,"title":"WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API","created_at":"2017-02-01T16:15:01.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-02-01T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html","https://blogs.akamai.com/2017/02/wordpress-web-api-vulnerability.html","https://gist.github.com/leonjza/2244eb15510a0687ed93160c623762ab","https://github.com/WordPress/WordPress/commit/e357195ce303017d517aff944644a7a1232926f7"],"metasploit":["auxiliary/scanner/http/wordpress_content_injection"]},"fixed_in":"4.7.2"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.7.3"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8767,"title":"WordPress 4.7.0-4.7.2 - Authenticated Unintended File Deletion in Plugin Delete","created_at":"2017-03-07T08:54:07.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663"],"cve":["2017-6816"]},"fixed_in":"4.7.3"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.7.3"},{"id":8769,"title":"WordPress 4.7-4.7.2 - Cross-Site Scripting (XSS) via Taxonomy Term Names","created_at":"2017-03-07T09:30:32.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/9092fd01e1f452f37c313d38b18f9fe6907541f9"],"cve":["2017-6818"]},"fixed_in":"4.7.3"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.7.6"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.7.6"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.7.6"},{"id":8912,"title":"WordPress 4.4-4.8.1 - Path Traversal in Customizer ","created_at":"2017-09-25T10:08:18.000Z","updated_at":"2018-08-29T20:00:17.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41397"],"cve":["2017-14722"]},"fixed_in":"4.7.6"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.7.6"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.7.6"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.7.7"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.7.8"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.7.8"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.7.8"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.7.8"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.7.9"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.7.10"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.7.10"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.7.10"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.7.11"}]},"4.6.2":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_4.6.2","status":"insecure","vulnerabilities":[{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"fixed_in":"4.6.3"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"fixed_in":"4.6.3"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-01-26T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"fixed_in":"4.6.3"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.6.4"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.6.4"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.6.4"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.6.4"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.6.6"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.6.6"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.6.6"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.6.6"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.6.6"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.6.6"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.6.7"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.6.7"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.6.7"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.6.7"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.6.7"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.6.8"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.6.9"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.6.9"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.6.9"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.6.9"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.6.10"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.6.11"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.6.11"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.6.11"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.6.12"}]},"3.7.18":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_3.7.18","status":"insecure","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.8.18":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_3.8.18","status":"insecure","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.9.16":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_3.9.16","status":"insecure","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.9.20"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"4.0.15":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_4.0.15","status":"insecure","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.0.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.0.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"4.1.15":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_4.1.15","status":"insecure","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.1.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.1.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.2.12":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_4.2.12","status":"insecure","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.2.16"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.2.17"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.2.18"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.2.18"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.2.18"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.2.19"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.2.20"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.2.20"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.2.20"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"4.3.8":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_4.3.8","status":"insecure","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.3.9"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.3.9"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.3.9"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.3.9"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.3.12"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.3.13"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.3.14"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.3.14"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.3.14"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.3.14"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.3.15"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.3.16"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.3.16"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.3.16"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.3.17"}]},"4.4.7":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_4.4.7","status":"insecure","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.4.8"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.4.8"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.4.8"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.4.8"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.4.10"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.4.10"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.4.10"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.4.10"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.4.10"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.4.10"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.4.11"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.4.12"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.4.13"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.4.13"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.4.13"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.4.13"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.4.14"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.4.15"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.4.15"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.4.15"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.4.16"}]},"4.5.6":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_4.5.6","status":"insecure","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.5.7"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.5.7"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.5.7"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.5.7"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.5.9"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.5.9"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.5.9"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.5.9"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.5.9"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.5.9"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.5.10"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.5.10"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.5.10"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.5.10"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.5.10"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.5.11"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.5.12"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.5.12"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.5.12"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.5.12"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.5.13"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.5.14"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.5.14"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.5.14"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.5.15"}]},"4.6.3":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_4.6.3","status":"insecure","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.6.4"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.6.4"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.6.4"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.6.4"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.6.6"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.6.6"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.6.6"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.6.6"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.6.6"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.6.6"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.6.7"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.6.7"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.6.7"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.6.7"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.6.7"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.6.8"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.6.9"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.6.9"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.6.9"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.6.9"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.6.10"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.6.11"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.6.11"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.6.11"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.6.12"}]},"4.7.2":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_4.7.2","status":"insecure","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"fixed_in":"4.7.3"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2018-08-29T19:13:16.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"fixed_in":"4.7.3"},{"id":8767,"title":"WordPress 4.7.0-4.7.2 - Authenticated Unintended File Deletion in Plugin Delete","created_at":"2017-03-07T08:54:07.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663"],"cve":["2017-6816"]},"fixed_in":"4.7.3"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"fixed_in":"4.7.3"},{"id":8769,"title":"WordPress 4.7-4.7.2 - Cross-Site Scripting (XSS) via Taxonomy Term Names","created_at":"2017-03-07T09:30:32.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/9092fd01e1f452f37c313d38b18f9fe6907541f9"],"cve":["2017-6818"]},"fixed_in":"4.7.3"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2018-08-29T19:13:11.000Z","published_date":"2017-03-06T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562","https://hackerone.com/reports/153093"],"cve":["2017-6819"]},"fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.7.6"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.7.6"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.7.6"},{"id":8912,"title":"WordPress 4.4-4.8.1 - Path Traversal in Customizer ","created_at":"2017-09-25T10:08:18.000Z","updated_at":"2018-08-29T20:00:17.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41397"],"cve":["2017-14722"]},"fixed_in":"4.7.6"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.7.6"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.7.6"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.7.7"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.7.8"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.7.8"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.7.8"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.7.8"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.7.9"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.7.10"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.7.10"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.7.10"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.7.11"}]},"3.7.19":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_3.7.19","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.8.19":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_3.8.19","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.9.17":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_3.9.17","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.9.20"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"4.0.16":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_4.0.16","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.0.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.0.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"4.1.16":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_4.1.16","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.1.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.1.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.2.13":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_4.2.13","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.2.16"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.2.17"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.2.18"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.2.18"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.2.18"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.2.19"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.2.20"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.2.20"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.2.20"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"4.3.9":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_4.3.9","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.3.12"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.3.13"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.3.14"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.3.14"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.3.14"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.3.14"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.3.15"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.3.16"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.3.16"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.3.16"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.3.17"}]},"4.4.8":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_4.4.8","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.4.10"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.4.10"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.4.10"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.4.10"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.4.10"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.4.10"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.4.11"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.4.12"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.4.13"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.4.13"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.4.13"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.4.13"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.4.14"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.4.15"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.4.15"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.4.15"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.4.16"}]},"4.5.7":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_4.5.7","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.5.9"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.5.9"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.5.9"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.5.9"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.5.9"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.5.9"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.5.10"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.5.10"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.5.10"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.5.10"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.5.10"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.5.11"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.5.12"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.5.12"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.5.12"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.5.12"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.5.13"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.5.14"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.5.14"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.5.14"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.5.15"}]},"4.6.4":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_4.6.4","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.6.6"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.6.6"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.6.6"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.6.6"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.6.6"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.6.6"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.6.7"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.6.7"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.6.7"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.6.7"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.6.7"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.6.8"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.6.9"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.6.9"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.6.9"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.6.9"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.6.10"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.6.11"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.6.11"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.6.11"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.6.12"}]},"4.7.3":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_4.7.3","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.7.6"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.7.6"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.7.6"},{"id":8912,"title":"WordPress 4.4-4.8.1 - Path Traversal in Customizer ","created_at":"2017-09-25T10:08:18.000Z","updated_at":"2018-08-29T20:00:17.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41397"],"cve":["2017-14722"]},"fixed_in":"4.7.6"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.7.6"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.7.6"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.7.7"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.7.8"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.7.8"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.7.8"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.7.8"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.7.9"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.7.10"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.7.10"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.7.10"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.7.11"}]},"3.7.20":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_3.7.20","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.8.20":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_3.8.20","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.9.18":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_3.9.18","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.9.20"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"4.0.17":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_4.0.17","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.0.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.0.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"4.1.17":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_4.1.17","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.1.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.1.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.2.14":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_4.2.14","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.2.16"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.2.17"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.2.18"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.2.18"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.2.18"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.2.19"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.2.20"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.2.20"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.2.20"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"4.3.10":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_4.3.10","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.3.12"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.3.13"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.3.14"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.3.14"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.3.14"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.3.14"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.3.15"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.3.16"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.3.16"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.3.16"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.3.17"}]},"4.4.9":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_4.4.9","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.4.10"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.4.10"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.4.10"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.4.10"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.4.10"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.4.10"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.4.11"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.4.12"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.4.13"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.4.13"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.4.13"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.4.13"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.4.14"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.4.15"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.4.15"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.4.15"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.4.16"}]},"4.5.8":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_4.5.8","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.5.9"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.5.9"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.5.9"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.5.9"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.5.9"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.5.9"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.5.10"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.5.10"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.5.10"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.5.10"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.5.10"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.5.11"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.5.12"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.5.12"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.5.12"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.5.12"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.5.13"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.5.14"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.5.14"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.5.14"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.5.15"}]},"4.6.5":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_4.6.5","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.6.6"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.6.6"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.6.6"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.6.6"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.6.6"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.6.6"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.6.7"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.6.7"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.6.7"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.6.7"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.6.7"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.6.8"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.6.9"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.6.9"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.6.9"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.6.9"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.6.10"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.6.11"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.6.11"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.6.11"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.6.12"}]},"4.7.4":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_4.7.4","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2018-08-29T19:13:02.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2018-08-29T19:13:08.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2018-08-29T19:13:19.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"CSRF","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2018-08-29T19:13:07.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2018-08-29T19:12:58.000Z","published_date":"2017-05-16T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.7.6"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.7.6"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.7.6"},{"id":8912,"title":"WordPress 4.4-4.8.1 - Path Traversal in Customizer ","created_at":"2017-09-25T10:08:18.000Z","updated_at":"2018-08-29T20:00:17.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41397"],"cve":["2017-14722"]},"fixed_in":"4.7.6"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.7.6"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.7.6"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.7.7"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.7.8"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.7.8"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.7.8"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.7.8"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.7.9"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.7.10"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.7.10"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.7.10"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.7.11"}]},"4.7.5":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_4.7.5","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.7.6"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.7.6"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.7.6"},{"id":8912,"title":"WordPress 4.4-4.8.1 - Path Traversal in Customizer ","created_at":"2017-09-25T10:08:18.000Z","updated_at":"2018-08-29T20:00:17.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41397"],"cve":["2017-14722"]},"fixed_in":"4.7.6"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.7.6"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.7.6"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.7.7"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.7.8"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.7.8"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.7.8"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.7.8"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.7.9"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.7.10"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.7.10"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.7.10"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.7.11"}]},"3.7.21":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_3.7.21","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.7.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.8.21":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_3.8.21","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.8.22"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.9.19":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_3.9.19","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"3.9.20"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"4.0.18":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_4.0.18","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.0.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.0.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"4.1.18":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_4.1.18","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.1.19"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.1.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.2.15":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_4.2.15","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.2.16"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.2.17"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.2.18"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.2.18"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.2.18"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.2.19"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.2.20"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.2.20"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.2.20"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"4.3.11":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_4.3.11","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.3.12"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.3.13"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.3.14"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.3.14"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.3.14"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.3.14"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.3.15"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.3.16"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.3.16"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.3.16"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.3.17"}]},"4.4.10":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_4.4.10","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.4.11"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.4.12"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.4.13"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.4.13"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.4.13"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.4.13"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.4.14"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.4.15"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.4.15"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.4.15"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.4.16"}]},"4.5.9":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_4.5.9","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.5.10"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.5.10"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.5.10"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.5.10"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.5.10"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.5.11"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.5.12"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.5.12"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.5.12"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.5.12"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.5.13"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.5.14"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.5.14"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.5.14"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.5.15"}]},"4.6.6":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_4.6.6","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.6.7"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2018-08-29T20:00:21.000Z","published_date":"2017-08-24T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.6.7"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.6.7"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.6.7"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.6.7"},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.6.8"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.6.9"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.6.9"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.6.9"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.6.9"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.6.10"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.6.11"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.6.11"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.6.11"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.6.12"}]},"4.8":{"release_date":"2017-06-08","changelog_url":"https://codex.wordpress.org/Version_4.8","status":"insecure","vulnerabilities":[{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8912,"title":"WordPress 4.4-4.8.1 - Path Traversal in Customizer ","created_at":"2017-09-25T10:08:18.000Z","updated_at":"2018-08-29T20:00:17.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41397"],"cve":["2017-14722"]},"fixed_in":"4.8.2"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.8.2"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.8.2"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.8.4"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.8.4"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.8.4"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.8.4"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.8.5"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.8.6"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.8.6"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.8.6"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.8.7"}]},"4.8.1":{"release_date":"2017-08-02","changelog_url":"https://codex.wordpress.org/Version_4.8.1","status":"insecure","vulnerabilities":[{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"fixed_in":"4.8.2"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2018-08-29T19:13:03.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2018-08-29T19:13:18.000Z","published_date":"2017-09-20T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"fixed_in":"4.8.2"},{"id":8912,"title":"WordPress 4.4-4.8.1 - Path Traversal in Customizer ","created_at":"2017-09-25T10:08:18.000Z","updated_at":"2018-08-29T20:00:17.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"LFI","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41397"],"cve":["2017-14722"]},"fixed_in":"4.8.2"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2018-08-29T19:13:01.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"fixed_in":"4.8.2"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2018-08-29T19:13:13.000Z","published_date":"2017-09-19T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"fixed_in":"4.8.2"},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.8.4"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.8.4"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.8.4"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.8.4"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.8.5"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.8.6"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.8.6"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.8.6"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.8.7"}]},"3.7.22":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/Version_3.7.22","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.7.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.8.22":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/Version_3.8.22","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.8.23"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.9.20":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/Version_3.9.20","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"3.9.21"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"4.0.19":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/Version_4.0.19","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.0.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"4.1.19":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/Version_4.1.19","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.1.20"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.2.16":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/Version_4.2.16","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.2.17"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.2.18"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.2.18"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.2.18"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.2.19"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.2.20"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.2.20"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.2.20"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"4.3.12":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/Version_4.3.12","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.3.13"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.3.14"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.3.14"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.3.14"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.3.14"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.3.15"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.3.16"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.3.16"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.3.16"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.3.17"}]},"4.4.11":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/Version_4.4.11","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.4.12"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.4.13"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.4.13"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.4.13"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.4.13"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.4.14"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.4.15"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.4.15"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.4.15"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.4.16"}]},"4.5.10":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/Version_4.5.10","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.5.11"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.5.12"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.5.12"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.5.12"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.5.12"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.5.13"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.5.14"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.5.14"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.5.14"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.5.15"}]},"4.6.7":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/Version_4.6.7","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.6.8"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.6.9"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.6.9"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.6.9"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.6.9"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.6.10"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.6.11"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.6.11"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.6.11"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.6.12"}]},"4.7.6":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/Version_4.7.6","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.7.7"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.7.8"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.7.8"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.7.8"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.7.8"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.7.9"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.7.10"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.7.10"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.7.10"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.7.11"}]},"4.8.2":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/Version_4.8.2","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8941,"title":"WordPress \u003c= 4.8.2 - $wpdb-\u003eprepare() Weakness","created_at":"2017-10-31T15:26:02.000Z","updated_at":"2018-08-29T20:00:18.000Z","published_date":"2017-10-31T00:00:00.000Z","vuln_type":"SQLI","references":{"url":["https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/","https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d","https://twitter.com/ircmaxell/status/923662170092638208","https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html"],"cve":["2017-16510"]},"fixed_in":"4.8.3"},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.8.4"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.8.4"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.8.4"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.8.4"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.8.5"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.8.6"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.8.6"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.8.6"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.8.7"}]},"4.8.3":{"release_date":"2017-10-31","changelog_url":"https://codex.wordpress.org/Version_4.8.3","status":"insecure","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.3 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2018-08-29T19:13:09.000Z","published_date":"2017-05-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"fixed_in":null},{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.8.4"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.8.4"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.8.4"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.8.4"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.8.5"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.8.6"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.8.6"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.8.6"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.8.7"}]},"3.7.23":{"release_date":"2017-10-31","changelog_url":"https://codex.wordpress.org/Version_3.7.23","status":"insecure","vulnerabilities":[{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.7.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.7.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.7.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.8.23":{"release_date":"2017-10-31","changelog_url":"https://codex.wordpress.org/Version_3.8.23","status":"insecure","vulnerabilities":[{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.8.24"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.8.24"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.8.24"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.9.21":{"release_date":"2017-10-31","changelog_url":"https://codex.wordpress.org/Version_3.9.21","status":"insecure","vulnerabilities":[{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"3.9.22"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"3.9.22"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"3.9.22"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"4.0.20":{"release_date":"2017-10-31","changelog_url":"https://codex.wordpress.org/Version_4.0.20","status":"insecure","vulnerabilities":[{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.0.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.0.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.0.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"4.1.20":{"release_date":"2017-10-31","changelog_url":"https://codex.wordpress.org/Version_4.1.20","status":"insecure","vulnerabilities":[{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.1.21"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.1.21"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.1.21"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.2.17":{"release_date":"2017-10-31","changelog_url":"https://codex.wordpress.org/Version_4.2.17","status":"insecure","vulnerabilities":[{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.2.18"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.2.18"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.2.18"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.2.19"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.2.20"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.2.20"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.2.20"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"4.3.13":{"release_date":"2017-10-31","changelog_url":"https://codex.wordpress.org/Version_4.3.13","status":"insecure","vulnerabilities":[{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.3.14"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.3.14"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.3.14"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.3.14"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.3.15"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.3.16"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.3.16"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.3.16"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.3.17"}]},"4.4.12":{"release_date":"2017-10-31","changelog_url":"https://codex.wordpress.org/Version_4.4.12","status":"insecure","vulnerabilities":[{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.4.13"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.4.13"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.4.13"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.4.13"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.4.14"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.4.15"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.4.15"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.4.15"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.4.16"}]},"4.5.11":{"release_date":"2017-10-31","changelog_url":"https://codex.wordpress.org/Version_4.5.11","status":"insecure","vulnerabilities":[{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.5.12"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.5.12"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.5.12"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.5.12"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.5.13"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.5.14"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.5.14"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.5.14"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.5.15"}]},"4.6.8":{"release_date":"2017-10-31","changelog_url":"https://codex.wordpress.org/Version_4.6.8","status":"insecure","vulnerabilities":[{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.6.9"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.6.9"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.6.9"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.6.9"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.6.10"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.6.11"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.6.11"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.6.11"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.6.12"}]},"4.7.7":{"release_date":"2017-10-31","changelog_url":"https://codex.wordpress.org/Version_4.7.7","status":"insecure","vulnerabilities":[{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.7.8"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.7.8"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.7.8"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.7.8"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.7.9"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.7.10"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.7.10"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.7.10"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.7.11"}]},"4.9":{"release_date":"2017-11-16","changelog_url":"https://codex.wordpress.org/Version_4.9","status":"insecure","vulnerabilities":[{"id":8966,"title":"WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload","created_at":"2017-11-30T08:51:56.000Z","updated_at":"2018-08-29T20:00:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"BYPASS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509"],"cve":["2017-17092"]},"fixed_in":"4.9.1"},{"id":8967,"title":"WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping","created_at":"2017-11-30T08:59:05.000Z","updated_at":"2018-08-29T19:12:56.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de"],"cve":["2017-17094"]},"fixed_in":"4.9.1"},{"id":8968,"title":"WordPress 4.3.0-4.9 - HTML Language Attribute Escaping","created_at":"2017-11-30T09:06:19.000Z","updated_at":"2018-08-29T19:13:12.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a"],"cve":["2017-17093"]},"fixed_in":"4.9.1"},{"id":8969,"title":"WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing","created_at":"2017-11-30T09:10:59.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2017-11-29T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c"],"cve":["2017-17091"]},"fixed_in":"4.9.1"},{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.9.2"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.9.5"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.9.5"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.9.5"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.9.7"}]},"4.9.1":{"release_date":"2017-11-29","changelog_url":"https://codex.wordpress.org/Version_4.9.1","status":"insecure","vulnerabilities":[{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.9.2"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.9.5"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.9.5"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.9.5"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.9.7"}]},"4.8.4":{"release_date":"2017-11-29","changelog_url":"https://codex.wordpress.org/Version_4.8.4","status":"insecure","vulnerabilities":[{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.8.5"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.8.6"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.8.6"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.8.6"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.8.7"}]},"4.7.8":{"release_date":"2017-11-29","changelog_url":"https://codex.wordpress.org/Version_4.7.8","status":"insecure","vulnerabilities":[{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.7.9"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.7.10"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.7.10"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.7.10"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.7.11"}]},"4.6.9":{"release_date":"2017-11-29","changelog_url":"https://codex.wordpress.org/Version_4.6.9","status":"insecure","vulnerabilities":[{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.6.10"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.6.11"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.6.11"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.6.11"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.6.12"}]},"4.5.12":{"release_date":"2017-11-29","changelog_url":"https://codex.wordpress.org/Version_4.5.12","status":"insecure","vulnerabilities":[{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.5.13"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.5.14"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.5.14"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.5.14"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.5.15"}]},"4.4.13":{"release_date":"2017-11-29","changelog_url":"https://codex.wordpress.org/Version_4.4.13","status":"insecure","vulnerabilities":[{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.4.14"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.4.15"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.4.15"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.4.15"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.4.16"}]},"4.3.14":{"release_date":"2017-11-29","changelog_url":"https://codex.wordpress.org/Version_4.3.14","status":"insecure","vulnerabilities":[{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.3.15"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.3.16"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.3.16"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.3.16"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.3.17"}]},"4.2.18":{"release_date":"2017-11-29","changelog_url":"https://codex.wordpress.org/Version_4.2.18","status":"insecure","vulnerabilities":[{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.2.19"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.2.20"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.2.20"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.2.20"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"4.1.21":{"release_date":"2017-11-29","changelog_url":"https://codex.wordpress.org/Version_4.1.21","status":"insecure","vulnerabilities":[{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.1.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.0.21":{"release_date":"2017-11-29","changelog_url":"https://codex.wordpress.org/Version_4.0.21","status":"insecure","vulnerabilities":[{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"4.0.22"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"3.9.22":{"release_date":"2017-11-29","changelog_url":"https://codex.wordpress.org/Version_3.9.22","status":"insecure","vulnerabilities":[{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.9.23"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"3.8.24":{"release_date":"2017-11-29","changelog_url":"https://codex.wordpress.org/Version_3.8.24","status":"insecure","vulnerabilities":[{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.8.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.7.24":{"release_date":"2017-11-29","changelog_url":"https://codex.wordpress.org/Version_3.7.24","status":"insecure","vulnerabilities":[{"id":9006,"title":"WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)","created_at":"2018-01-17T08:52:17.000Z","updated_at":"2018-08-29T20:00:16.000Z","published_date":"2018-01-17T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850","https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/","https://core.trac.wordpress.org/ticket/42720"],"cve":["2018-5776"]},"fixed_in":"3.7.25"},{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"4.9.2":{"release_date":"2018-01-16","changelog_url":"https://codex.wordpress.org/Version_4.9.2","status":"insecure","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.9.5"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.9.5"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.9.5"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.9.7"}]},"4.8.5":{"release_date":"2018-01-16","changelog_url":"https://codex.wordpress.org/Version_4.8.5","status":"insecure","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.8.6"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.8.6"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.8.6"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.8.7"}]},"4.7.9":{"release_date":"2018-01-16","changelog_url":"https://codex.wordpress.org/Version_4.7.9","status":"insecure","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.7.10"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.7.10"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.7.10"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.7.11"}]},"4.6.10":{"release_date":"2018-01-16","changelog_url":"https://codex.wordpress.org/Version_4.6.10","status":"insecure","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.6.11"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.6.11"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.6.11"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.6.12"}]},"4.5.13":{"release_date":"2018-01-16","changelog_url":"https://codex.wordpress.org/Version_4.5.13","status":"insecure","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.5.14"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.5.14"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.5.14"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.5.15"}]},"4.4.14":{"release_date":"2018-01-16","changelog_url":"https://codex.wordpress.org/Version_4.4.14","status":"insecure","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.4.15"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.4.15"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.4.15"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.4.16"}]},"4.3.15":{"release_date":"2018-01-16","changelog_url":"https://codex.wordpress.org/Version_4.3.15","status":"insecure","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.3.16"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.3.16"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.3.16"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.3.17"}]},"4.2.19":{"release_date":"2018-01-16","changelog_url":"https://codex.wordpress.org/Version_4.2.19","status":"insecure","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.2.20"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.2.20"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.2.20"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"4.1.22":{"release_date":"2018-01-16","changelog_url":"https://codex.wordpress.org/Version_4.1.22","status":"insecure","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.1.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.1.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.1.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.0.22":{"release_date":"2018-01-16","changelog_url":"https://codex.wordpress.org/Version_4.0.22","status":"insecure","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.0.23"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.0.23"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.0.23"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"3.9.23":{"release_date":"2018-01-16","changelog_url":"https://codex.wordpress.org/Version_3.9.23","status":"insecure","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.9.24"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.9.24"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.9.24"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"3.8.25":{"release_date":"2018-01-16","changelog_url":"https://codex.wordpress.org/Version_3.8.25","status":"insecure","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.8.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.8.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.8.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.7.25":{"release_date":"2018-01-16","changelog_url":"https://codex.wordpress.org/Version_3.7.25","status":"insecure","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"3.7.26"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"3.7.26"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"3.7.26"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"4.9.3":{"release_date":"2018-02-05","changelog_url":"https://codex.wordpress.org/Version_4.9.3","status":"insecure","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.9.5"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.9.5"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.9.5"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.9.7"}]},"4.9.4":{"release_date":"2018-02-06","changelog_url":"https://codex.wordpress.org/Version_4.9.4","status":"insecure","vulnerabilities":[{"id":9021,"title":"WordPress \u003c= 4.9.4 - Application Denial of Service (DoS) (unpatched)","created_at":"2018-02-05T16:50:40.000Z","updated_at":"2018-08-29T19:13:04.000Z","published_date":"2018-02-05T00:00:00.000Z","vuln_type":"DOS","references":{"url":["https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html","https://github.com/quitten/doser.py","https://thehackernews.com/2018/02/wordpress-dos-exploit.html"],"cve":["2018-6389"]},"fixed_in":null},{"id":9053,"title":"WordPress 3.7-4.9.4 - Remove localhost Default","created_at":"2018-04-04T07:33:33.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"],"cve":["2018-10101"]},"fixed_in":"4.9.5"},{"id":9054,"title":"WordPress 3.7-4.9.4 - Use Safe Redirect for Login","created_at":"2018-04-04T07:57:46.000Z","updated_at":"2018-08-29T20:00:20.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"REDIRECT","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"],"cve":["2018-10100"]},"fixed_in":"4.9.5"},{"id":9055,"title":"WordPress 3.7-4.9.4 - Escape Version in Generator Tag","created_at":"2018-04-04T08:01:58.000Z","updated_at":"2018-08-29T20:00:19.000Z","published_date":"2018-04-03T00:00:00.000Z","vuln_type":"XSS","references":{"url":["https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"],"cve":["2018-10102"]},"fixed_in":"4.9.5"},{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.9.7"}]},"3.7.26":{"release_date":"2018-04-03","changelog_url":"https://codex.wordpress.org/Version_3.7.26","status":"insecure","vulnerabilities":[{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.7.27"}]},"3.8.26":{"release_date":"2018-04-03","changelog_url":"https://codex.wordpress.org/Version_3.8.26","status":"insecure","vulnerabilities":[{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.8.27"}]},"3.9.24":{"release_date":"2018-04-03","changelog_url":"https://codex.wordpress.org/Version_3.9.24","status":"insecure","vulnerabilities":[{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"3.9.25"}]},"4.0.23":{"release_date":"2018-04-03","changelog_url":"https://codex.wordpress.org/Version_4.0.23","status":"insecure","vulnerabilities":[{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.0.24"}]},"4.1.23":{"release_date":"2018-04-03","changelog_url":"https://codex.wordpress.org/Version_4.1.23","status":"insecure","vulnerabilities":[{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.1.24"}]},"4.2.20":{"release_date":"2018-04-03","changelog_url":"https://codex.wordpress.org/Version_4.2.20","status":"insecure","vulnerabilities":[{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.2.21"}]},"4.3.16":{"release_date":"2018-04-03","changelog_url":"https://codex.wordpress.org/Version_4.3.16","status":"insecure","vulnerabilities":[{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.3.17"}]},"4.4.15":{"release_date":"2018-04-03","changelog_url":"https://codex.wordpress.org/Version_4.4.15","status":"insecure","vulnerabilities":[{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.4.16"}]},"4.5.14":{"release_date":"2018-04-03","changelog_url":"https://codex.wordpress.org/Version_4.5.14","status":"insecure","vulnerabilities":[{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.5.15"}]},"4.6.11":{"release_date":"2018-04-03","changelog_url":"https://codex.wordpress.org/Version_4.6.11","status":"insecure","vulnerabilities":[{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.6.12"}]},"4.7.10":{"release_date":"2018-04-03","changelog_url":"https://codex.wordpress.org/Version_4.7.10","status":"insecure","vulnerabilities":[{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.7.11"}]},"4.8.6":{"release_date":"2018-04-03","changelog_url":"https://codex.wordpress.org/Version_4.8.6","status":"insecure","vulnerabilities":[{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.8.7"}]},"4.9.5":{"release_date":"2018-04-03","changelog_url":"https://codex.wordpress.org/Version_4.9.5","status":"insecure","vulnerabilities":[{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.9.7"}]},"4.9.6":{"release_date":"2018-05-17","changelog_url":"https://codex.wordpress.org/Version_4.9.6","status":"insecure","vulnerabilities":[{"id":9100,"title":"WordPress \u003c= 4.9.6 - Authenticated Arbitrary File Deletion","created_at":"2018-06-27T08:10:57.000Z","updated_at":"2018-08-29T20:00:15.000Z","published_date":"2018-06-27T00:00:00.000Z","vuln_type":"UNKNOWN","references":{"url":["https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/","http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/","https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd","https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/","https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"],"cve":["2018-12895"]},"fixed_in":"4.9.7"}]},"3.7.27":{"release_date":"2018-07-05","changelog_url":"https://codex.wordpress.org/Version_3.7.27","status":"outdated","vulnerabilities":[]},"3.8.27":{"release_date":"2018-07-05","changelog_url":"https://codex.wordpress.org/Version_3.8.27","status":"outdated","vulnerabilities":[]},"3.9.25":{"release_date":"2018-07-05","changelog_url":"https://codex.wordpress.org/Version_3.9.25","status":"outdated","vulnerabilities":[]},"4.0.24":{"release_date":"2018-07-05","changelog_url":"https://codex.wordpress.org/Version_4.0.24","status":"outdated","vulnerabilities":[]},"4.1.24":{"release_date":"2018-07-05","changelog_url":"https://codex.wordpress.org/Version_4.1.24","status":"outdated","vulnerabilities":[]},"4.2.21":{"release_date":"2018-07-05","changelog_url":"https://codex.wordpress.org/Version_4.2.21","status":"outdated","vulnerabilities":[]},"4.3.17":{"release_date":"2018-07-05","changelog_url":"https://codex.wordpress.org/Version_4.3.17","status":"outdated","vulnerabilities":[]},"4.4.16":{"release_date":"2018-07-05","changelog_url":"https://codex.wordpress.org/Version_4.4.16","status":"outdated","vulnerabilities":[]},"4.5.15":{"release_date":"2018-07-05","changelog_url":"https://codex.wordpress.org/Version_4.5.15","status":"outdated","vulnerabilities":[]},"4.6.12":{"release_date":"2018-07-05","changelog_url":"https://codex.wordpress.org/Version_4.6.12","status":"outdated","vulnerabilities":[]},"4.7.11":{"release_date":"2018-07-05","changelog_url":"https://codex.wordpress.org/Version_4.7.11","status":"outdated","vulnerabilities":[]},"4.8.7":{"release_date":"2018-07-05","changelog_url":"https://codex.wordpress.org/Version_4.8.7","status":"outdated","vulnerabilities":[]},"4.9.7":{"release_date":"2018-07-05","changelog_url":"https://codex.wordpress.org/Version_4.9.7","status":"outdated","vulnerabilities":[]},"4.9.8":{"release_date":"2018-08-02","changelog_url":"https://codex.wordpress.org/Version_4.9.8","status":"latest","vulnerabilities":[]}} |