WordPress Core Vulnerabilities

🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Wordfence Intelligence > Vulnerability Database > WordPress Core

Showing 281-300 of 362 WordPress Core vulnerabilities

Submit a Vulnerability

WordPress Core <= 6.4.3 - Sensitive Information Exposure via redirect_guess_404_permalink

5.3

CVE-2023-5692

Apr 4, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core 4.7.0 - 6.3.1 - Sensitive Information Exposure via User Search REST Endpoint

5.3

CVE-2023-5561

Oct 12, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core 4.7.0-6.3.1 - Denial of Service via Cache Poisoning

5.3

CVE ID Unknown

Oct 12, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

WordPress Core < 6.0.3 - Information Disclosure (Email Address)

5.3

CVE-2022-43504

Oct 18, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 5.8.2 - ca-bundle.crt contains expired certificate DST Root CA X3

5.3

CVE ID Unknown

Nov 10, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

WordPress Core 5.4 - 5.8 - Sensitive Information Disclosure

5.3

CVE-2021-39200

Sep 9, 2021

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

WordPress Core < 5.4.2 - Comment Disclosure

5.3

CVE-2020-25286

Jun 10, 2020

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 5.2.4 - Authorization Bypass

5.3

CVE-2019-17671

Oct 14, 2019

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core - All Known Versions - Cleartext Storage of wp_signups.activation_key

5.3

CVE-2017-14990

Oct 10, 2017

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 4.7.1 - Weak Multi-Site Activation Key for User and Site Signup

5.3

CVE-2017-5493

Jan 11, 2017

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 4.5.3 - Denial of Service via oEmbed Protocol

5.3

CVE-2016-5836

Jun 18, 2016

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

WordPress Core < 4.5.3 - Password Change via Stolen Cookie

5.3

CVE-2016-5838

Jun 18, 2016

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

WordPress Core < 4.2.4 - Timing Side-Channel Attack

5.3

CVE-2015-5730

Aug 4, 2015

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 4.0.1 - Denial of Service via Long Password

5.3

CVE-2014-9034

Nov 20, 2014

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

WordPress Core <= 3.9.1 - XML External Entity (XXE) Weakness

5.3

CVE-2014-2053

Aug 6, 2014

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

WordPress Core <= 3.5.1 - Denial of Service via wp-postpass cookie

5.3

CVE-2013-2173

Jun 21, 2013

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

WordPress Core <= 3.3.2 - Sensitive Information Disclosure

5.3

CVE-2012-6634

Jun 27, 2012

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 3.1.3 - Username Enumeration

5.3

CVE-2011-3126

May 25, 2011

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 3.0.2 - Spam Protection Bypass

5.3

CVE-2010-5293

Nov 30, 2010

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

WordPress Core & WordPress MU < 2.8.1 - Full Path Disclosure

5.3

CVE-2009-2432

Sep 8, 2009

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Title	CVE ID	CVSS	Vector	Date
WordPress Core <= 6.4.3 - Sensitive Information Exposure via redirect_guess_404_permalink	CVE-2023-5692	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	April 4, 2024
WordPress Core 4.7.0 - 6.3.1 - Sensitive Information Exposure via User Search REST Endpoint	CVE-2023-5561	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	October 12, 2023
WordPress Core 4.7.0-6.3.1 - Denial of Service via Cache Poisoning		5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	October 12, 2023
WordPress Core < 6.0.3 - Information Disclosure (Email Address)	CVE-2022-43504	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	October 18, 2022
WordPress Core < 5.8.2 - ca-bundle.crt contains expired certificate DST Root CA X3		5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	November 10, 2021
WordPress Core 5.4 - 5.8 - Sensitive Information Disclosure	CVE-2021-39200	5.3	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N	September 9, 2021
WordPress Core < 5.4.2 - Comment Disclosure	CVE-2020-25286	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	June 10, 2020
WordPress Core < 5.2.4 - Authorization Bypass	CVE-2019-17671	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	October 14, 2019
WordPress Core - All Known Versions - Cleartext Storage of wp_signups.activation_key	CVE-2017-14990	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	October 10, 2017
WordPress Core < 4.7.1 - Weak Multi-Site Activation Key for User and Site Signup	CVE-2017-5493	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	January 11, 2017
WordPress Core < 4.5.3 - Denial of Service via oEmbed Protocol	CVE-2016-5836	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	June 18, 2016
WordPress Core < 4.5.3 - Password Change via Stolen Cookie	CVE-2016-5838	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	June 18, 2016
WordPress Core < 4.2.4 - Timing Side-Channel Attack	CVE-2015-5730	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	August 4, 2015
WordPress Core < 4.0.1 - Denial of Service via Long Password	CVE-2014-9034	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	November 20, 2014
WordPress Core <= 3.9.1 - XML External Entity (XXE) Weakness	CVE-2014-2053	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	August 6, 2014
WordPress Core <= 3.5.1 - Denial of Service via wp-postpass cookie	CVE-2013-2173	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	June 21, 2013
WordPress Core <= 3.3.2 - Sensitive Information Disclosure	CVE-2012-6634	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	June 27, 2012
WordPress Core < 3.1.3 - Username Enumeration	CVE-2011-3126	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	May 25, 2011
WordPress Core < 3.0.2 - Spam Protection Bypass	CVE-2010-5293	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	November 30, 2010
WordPress Core & WordPress MU < 2.8.1 - Full Path Disclosure	CVE-2009-2432	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	September 8, 2009

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation