Wordpress Foundation Wordpress vulnerabilities
6 known vulnerabilities affecting wordpress_foundation/wordpress.
Total CVEs
6
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
MEDIUM6
Vulnerabilities
Page 1 of 1
CVE-2026-3906MEDIUMCVSS 4.3≥ 6.9, ≤ 6.9.12026-03-11
CVE-2026-3906 [MEDIUM] CWE-862 CVE-2026-3906: WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature
WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the
nvd
CVE-2022-4973MEDIUMCVSS 5.4≤ 3.6.1≥ 3.7, ≤ 3.7.38+23 more2024-10-16
CVE-2022-4973 [MEDIUM] CWE-79 CVE-2022-4973: WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting
WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function i
nvd
CVE-2024-6307MEDIUMCVSS 6.4≥ 5.9, ≤ 5.9.9≥ 6.0, ≤ 6.0.8+5 more2024-06-25
CVE-2024-6307 [MEDIUM] CVE-2024-6307: WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions pri
WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an i
nvd
CVE-2024-4439MEDIUMCVSS 6.1PoC≥ 6.0, ≤ 6.0.7≥ 6.1, ≤ 6.1.5+4 more2024-05-03
CVE-2024-4439 [MEDIUM] CWE-80 CVE-2024-4439: WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar blo
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a
nvd
CVE-2023-5692MEDIUMCVSS 5.3≤ 6.4.32024-04-05
CVE-2023-5692 [MEDIUM] CWE-200 CVE-2023-5692: WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.
WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set to 'false'.
nvd
CVE-2023-2745MEDIUMCVSS 6.1PoCfixed in 4.1.38≥ 4.2, < 4.2.35+20 more2023-05-17
CVE-2023-2745 [MEDIUM] CWE-22 CVE-2023-2745: WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perfor
nvd