WordPress Core Vulnerabilities

🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Wordfence Intelligence > Vulnerability Database > WordPress Core

Showing 241-260 of 362 WordPress Core vulnerabilities

Submit a Vulnerability

WordPress Core < 5.4.2 - Open Redirect

5.7

CVE-2020-4048

Jun 10, 2020

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

WordPress Core < 6.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting via Customizer

5.5

CVE ID Unknown

Oct 18, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 6.0.3 - Authenticated (Editor+) Stored Cross-Site Scripting via Comments

5.5

CVE ID Unknown

Oct 18, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 5.2.4 - Type Confusion

5.5

CVE-2019-17675

Oct 14, 2019

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

WordPress Core < 5.2.4 - Authenticated Stored Cross-Site Scripting via Customizer

5.5

CVE-2019-17674

Oct 14, 2019

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.8.2 - Stored Cross-Site Scripting via Plugin Names

5.5

CVE-2017-14721

Sep 19, 2017

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.7.5 - Cross-Site Scripting via Customizer

5.5

CVE-2017-9063

May 16, 2017

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.7.1 - Stored Cross-Site Scripting via theme directory name

5.5

CVE-2017-5490

Jan 11, 2017

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.7.1 - Cross-Site Scripting via Name and Version Header of Plugin

5.5

CVE-2017-5488

Jan 11, 2017

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.5.3 - Cross-Site Scripting via Customizer

5.5

CVE-2016-5832

Jun 18, 2016

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.4.1 - Cross-Site Scripting via Theme Names

5.5

CVE-2016-1564

Jan 16, 2016

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.2.4 - Cross-Site Scripting via Widget Title

5.5

CVE-2015-5732

Aug 4, 2015

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

WordPress Core <= 2.2.1 - Authenticated (Admin+) Cross-Site Scripting

5.5

CVE-2007-4153

Aug 5, 2007

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 6.3.2 – Authenticated (Subscriber+) Arbitrary Shortcode Execution via parse-media-shortcode

5.4

CVE ID Unknown

Oct 12, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

WordPress Core < 6.2.1 - Directory Traversal

5.4

CVE-2023-2745

May 16, 2023

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 6.0.3 - Open Redirect

5.4

CVE ID Unknown

Oct 18, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

WordPress Core < 5.9.2 & Gutenberg < 12.7.2 - Prototype Pollution via Block Editor

5.4

CVE ID Unknown

Mar 11, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

WordPress Core < 5.5.2 - Arbitrary File Deletion

5.4

CVE-2020-28039

Oct 29, 2020

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

WordPress Core < 5.4.2 - Authenticated Stored Cross-Site Scripting

5.4

CVE-2020-4046

Jun 10, 2020

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

WordPress Core < 5.2.4 - Server Side Request Forgery

5.4

CVE-2019-17669

Oct 14, 2019

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
WordPress Core < 5.4.2 - Open Redirect	CVE-2020-4048	5.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N	June 10, 2020
WordPress Core < 6.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting via Customizer		5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	October 18, 2022
WordPress Core < 6.0.3 - Authenticated (Editor+) Stored Cross-Site Scripting via Comments		5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	October 18, 2022
WordPress Core < 5.2.4 - Type Confusion	CVE-2019-17675	5.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L	October 14, 2019
WordPress Core < 5.2.4 - Authenticated Stored Cross-Site Scripting via Customizer	CVE-2019-17674	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	October 14, 2019
WordPress Core < 4.8.2 - Stored Cross-Site Scripting via Plugin Names	CVE-2017-14721	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	September 19, 2017
WordPress Core < 4.7.5 - Cross-Site Scripting via Customizer	CVE-2017-9063	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	May 16, 2017
WordPress Core < 4.7.1 - Stored Cross-Site Scripting via theme directory name	CVE-2017-5490	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	January 11, 2017
WordPress Core < 4.7.1 - Cross-Site Scripting via Name and Version Header of Plugin	CVE-2017-5488	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	January 11, 2017
WordPress Core < 4.5.3 - Cross-Site Scripting via Customizer	CVE-2016-5832	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	June 18, 2016
WordPress Core < 4.4.1 - Cross-Site Scripting via Theme Names	CVE-2016-1564	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	January 16, 2016
WordPress Core < 4.2.4 - Cross-Site Scripting via Widget Title	CVE-2015-5732	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	August 4, 2015
WordPress Core <= 2.2.1 - Authenticated (Admin+) Cross-Site Scripting	CVE-2007-4153	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	August 5, 2007
WordPress Core < 6.3.2 – Authenticated (Subscriber+) Arbitrary Shortcode Execution via parse-media-shortcode		5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N	October 12, 2023
WordPress Core < 6.2.1 - Directory Traversal	CVE-2023-2745	5.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N	May 16, 2023
WordPress Core < 6.0.3 - Open Redirect		5.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N	October 18, 2022
WordPress Core < 5.9.2 & Gutenberg < 12.7.2 - Prototype Pollution via Block Editor		5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	March 11, 2022
WordPress Core < 5.5.2 - Arbitrary File Deletion	CVE-2020-28039	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L	October 29, 2020
WordPress Core < 5.4.2 - Authenticated Stored Cross-Site Scripting	CVE-2020-4046	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	June 10, 2020
WordPress Core < 5.2.4 - Server Side Request Forgery	CVE-2019-17669	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N	October 14, 2019

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation