WordPress Core Vulnerabilities

🦸 Calling all superheroes! Introducing the WordPress Superhero Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities! Through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200. Check out the updated bounties here!

Wordfence Intelligence > Vulnerability Database > WordPress Core

Showing 161-180 of 362 WordPress Core vulnerabilities

Submit a Vulnerability

WordPress Core < 4.5.3 - Cross-Site Scripting via Customizer

5.5

CVE-2016-5832

Jun 18, 2016

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.5.3 - Denial of Service via oEmbed Protocol

5.3

CVE-2016-5836

Jun 18, 2016

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

WordPress Core < 4.5.3 - Revision History Disclosure

4.3

CVE-2016-5835

Jun 18, 2016

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 4.5.3 - Authorization Bypass to Remove Category Attribute

5.4

CVE-2016-5837

Jun 18, 2016

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

WordPress Core < 4.5.3 - Cross-Site Scripting via Attachment Name

6.4

CVE-2016-5834

Jun 18, 2016

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.5.3 - Bypass sanitize_file_name Protection

7.3

CVE-2016-5839

Jun 18, 2016

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

WordPress Core < 4.5.2 - Cross-Site Scripting via plupload.flash.swf

6.1

CVE-2016-4566

May 6, 2016

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

WordPress Core < 4.5.2 - Cross-Site Scripting via MediaElement.js

6.4

CVE-2016-4567

May 6, 2016

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.5 - Cross-Site Scripting via Network Settings Page

6.4

CVE-2016-6634

Apr 12, 2016

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.5 - Cross-Site Request Forgery via wp_ajax_wp_compression_test

8.8

CVE-2016-6635

Mar 12, 2016

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

WordPress Core < 4.4.2 - Server-Side Request Forgery

6.4

CVE-2016-2222

Feb 2, 2016

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.4.2 - Open Redirect via wp_validate_redirect

5.4

CVE-2016-2221

Feb 2, 2016

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

WordPress Core < 4.4.1 - Cross-Site Scripting via Theme Names

5.5

CVE-2016-1564

Jan 16, 2016

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.3.1 - Authenticated Cross-Site Scripting

6.4

CVE-2015-7989

Sep 15, 2015

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.3.1 - Cross-Site Scripting via Shortcodes

6.4

CVE-2015-5714

Sep 15, 2015

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.3.1 - Authorization Bypass to Information Disclosure

5.4

CVE-2015-5715

Sep 15, 2015

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

WordPress Core < 4.2.4 - Cross-Site Scripting via Widget Title

5.5

CVE-2015-5732

Aug 4, 2015

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.2.4 - SQL Injection

8.8

CVE-2015-2213

Aug 4, 2015

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

WordPress Core < 4.2.4 - Cross-Site Scripting in Theme Preview

6.1

CVE-2015-5734

Aug 4, 2015

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

WordPress Core < 4.2.4 - Cross-Site Request Forgery to Post Lockage

9.6

CVE-2015-5731

Aug 4, 2015

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Title	CVE ID	CVSS	Vector	Date
WordPress Core < 4.5.3 - Cross-Site Scripting via Customizer	CVE-2016-5832	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	June 18, 2016
WordPress Core < 4.5.3 - Denial of Service via oEmbed Protocol	CVE-2016-5836	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	June 18, 2016
WordPress Core < 4.5.3 - Revision History Disclosure	CVE-2016-5835	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	June 18, 2016
WordPress Core < 4.5.3 - Authorization Bypass to Remove Category Attribute	CVE-2016-5837	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L	June 18, 2016
WordPress Core < 4.5.3 - Cross-Site Scripting via Attachment Name	CVE-2016-5834	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	June 18, 2016
WordPress Core < 4.5.3 - Bypass sanitize_file_name Protection	CVE-2016-5839	7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	June 18, 2016
WordPress Core < 4.5.2 - Cross-Site Scripting via plupload.flash.swf	CVE-2016-4566	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	May 6, 2016
WordPress Core < 4.5.2 - Cross-Site Scripting via MediaElement.js	CVE-2016-4567	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 6, 2016
WordPress Core < 4.5 - Cross-Site Scripting via Network Settings Page	CVE-2016-6634	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 12, 2016
WordPress Core < 4.5 - Cross-Site Request Forgery via wp_ajax_wp_compression_test	CVE-2016-6635	8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	March 12, 2016
WordPress Core < 4.4.2 - Server-Side Request Forgery	CVE-2016-2222	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	February 2, 2016
WordPress Core < 4.4.2 - Open Redirect via wp_validate_redirect	CVE-2016-2221	5.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L	February 2, 2016
WordPress Core < 4.4.1 - Cross-Site Scripting via Theme Names	CVE-2016-1564	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	January 16, 2016
WordPress Core < 4.3.1 - Authenticated Cross-Site Scripting	CVE-2015-7989	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 15, 2015
WordPress Core < 4.3.1 - Cross-Site Scripting via Shortcodes	CVE-2015-5714	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 15, 2015
WordPress Core < 4.3.1 - Authorization Bypass to Information Disclosure	CVE-2015-5715	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N	September 15, 2015
WordPress Core < 4.2.4 - Cross-Site Scripting via Widget Title	CVE-2015-5732	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	August 4, 2015
WordPress Core < 4.2.4 - SQL Injection	CVE-2015-2213	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	August 4, 2015
WordPress Core < 4.2.4 - Cross-Site Scripting in Theme Preview	CVE-2015-5734	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	August 4, 2015
WordPress Core < 4.2.4 - Cross-Site Request Forgery to Post Lockage	CVE-2015-5731	9.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H	August 4, 2015

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation