WordPress Core Vulnerabilities

🦸 Calling all superheroes! Introducing the WordPress Superhero Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities! Through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200. Check out the updated bounties here!

Wordfence Intelligence > Vulnerability Database > WordPress Core

Showing 141-160 of 362 WordPress Core vulnerabilities

Submit a Vulnerability

WordPress Core < 4.7.2 - Authorization Bypass to Term Disclosure

4.3

CVE-2017-5610

Jan 26, 2017

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 4.7.2 - Authenticated SQL Injection

8.8

CVE-2017-5611

Jan 26, 2017

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

WordPress Core < 4.7.2 - Cross-Site Scripting

6.1

CVE-2017-5612

Jan 26, 2017

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

WordPress Core < 4.7.2 - Arbitrary Page Modification

7.3

CVE-2017-1001000

Jan 26, 2017

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H

WordPress Core < 4.7.1 - Cross-Site Request Forgery via Uploading Flash File

8.8

CVE-2017-5489

Jan 11, 2017

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

WordPress Core < 4.7.1 - Information Disclosure

4.3

CVE-2017-5487

Jan 11, 2017

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 4.7.1 - Cross-Site Request Forgery via Widget Editing

8.8

CVE-2017-5492

Jan 11, 2017

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

WordPress Core < 4.7.1 - Cross-Site Scripting via Name and Version Header of Plugin

5.5

CVE-2017-5488

Jan 11, 2017

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.7.1 - Authorization Bypass

8.3

CVE-2017-5491

Jan 11, 2017

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

WordPress Core < 4.7.1 - Stored Cross-Site Scripting via theme directory name

5.5

CVE-2017-5490

Jan 11, 2017

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.7.1 - Weak Multi-Site Activation Key for User and Site Signup

5.3

CVE-2017-5493

Jan 11, 2017

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 4.7.2 - Path Disclosure

4.3

CVE-2017-6514

Jan 1, 2017

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 4.5 - Server-Side Request Forgery

5.0

CVE-2016-4029

Sep 29, 2016

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

WordPress Core < 4.6.1 - Authenticated Stored Cross-Site Scripting

4.8

CVE-2016-7168

Sep 7, 2016

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

WordPress Core < 4.6.1 - Authenticated Directory Traversal to Arbitrary File Access

6.5

CVE-2016-7169

Sep 7, 2016

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

WordPress Core <= 4.5.3 - Denial of Service

6.5

CVE-2016-6896

Aug 22, 2016

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

WordPress Core < 4.6 - Authorization Bypass

4.3

CVE-2016-10148

Aug 16, 2016

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 4.6 - Cross-Site Request Forgery

8.8

CVE-2016-6897

Aug 16, 2016

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

WordPress Core < 4.5.3 - Cross-Site Scripting via Customizer

5.5

CVE-2016-5832

Jun 18, 2016

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.5.3 - Denial of Service via oEmbed Protocol

5.3

CVE-2016-5836

Jun 18, 2016

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Title	CVE ID	CVSS	Vector	Date
WordPress Core < 4.7.2 - Authorization Bypass to Term Disclosure	CVE-2017-5610	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	January 26, 2017
WordPress Core < 4.7.2 - Authenticated SQL Injection	CVE-2017-5611	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	January 26, 2017
WordPress Core < 4.7.2 - Cross-Site Scripting	CVE-2017-5612	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	January 26, 2017
WordPress Core < 4.7.2 - Arbitrary Page Modification	CVE-2017-1001000	7.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H	January 26, 2017
WordPress Core < 4.7.1 - Cross-Site Request Forgery via Uploading Flash File	CVE-2017-5489	8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	January 11, 2017
WordPress Core < 4.7.1 - Information Disclosure	CVE-2017-5487	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	January 11, 2017
WordPress Core < 4.7.1 - Cross-Site Request Forgery via Widget Editing	CVE-2017-5492	8.8	CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H	January 11, 2017
WordPress Core < 4.7.1 - Cross-Site Scripting via Name and Version Header of Plugin	CVE-2017-5488	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	January 11, 2017
WordPress Core < 4.7.1 - Authorization Bypass	CVE-2017-5491	8.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L	January 11, 2017
WordPress Core < 4.7.1 - Stored Cross-Site Scripting via theme directory name	CVE-2017-5490	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	January 11, 2017
WordPress Core < 4.7.1 - Weak Multi-Site Activation Key for User and Site Signup	CVE-2017-5493	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	January 11, 2017
WordPress Core < 4.7.2 - Path Disclosure	CVE-2017-6514	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	January 1, 2017
WordPress Core < 4.5 - Server-Side Request Forgery	CVE-2016-4029	5.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N	September 29, 2016
WordPress Core < 4.6.1 - Authenticated Stored Cross-Site Scripting	CVE-2016-7168	4.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N	September 7, 2016
WordPress Core < 4.6.1 - Authenticated Directory Traversal to Arbitrary File Access	CVE-2016-7169	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	September 7, 2016
WordPress Core <= 4.5.3 - Denial of Service	CVE-2016-6896	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H	August 22, 2016
WordPress Core < 4.6 - Authorization Bypass	CVE-2016-10148	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	August 16, 2016
WordPress Core < 4.6 - Cross-Site Request Forgery	CVE-2016-6897	8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	August 16, 2016
WordPress Core < 4.5.3 - Cross-Site Scripting via Customizer	CVE-2016-5832	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	June 18, 2016
WordPress Core < 4.5.3 - Denial of Service via oEmbed Protocol	CVE-2016-5836	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	June 18, 2016

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation