WordPress Core Vulnerabilities

🦸 Calling all superheroes! Introducing the WordPress Superhero Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities! Through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200. Check out the updated bounties here!

Wordfence Intelligence > Vulnerability Database > WordPress Core

Showing 301-320 of 362 WordPress Core vulnerabilities

Submit a Vulnerability

WordPress Core & WordPress MU < 2.8.1 - Username Enumeration

5.3

CVE-2009-2335

Jul 9, 2009

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core & WordPress MU < 2.8.1 - Username Enumeration

5.3

CVE-2009-2336

Jul 9, 2009

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 2.8 - Sensitive Information Disclosure

5.3

CVE-2009-2431

Jun 11, 2009

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 2.7 - Denial of Service

5.3

CVE-2008-6767

Dec 22, 2008

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

WordPress Core < 2.5 - Full Path Disclosure

5.3

CVE-2008-0191

Dec 16, 2007

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 2.2.3 - Restriction Bypass

5.3

CVE-2008-2146

Sep 8, 2007

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 2.1 - Full Path Disclosure

5.3

CVE-2008-0195

Jan 22, 2007

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 2.0.7 - Full Path Disclosure

5.3

CVE-2007-0262

Jan 15, 2007

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress < 2.0.6 - Username Enumeration via Error Messages

5.3

CVE-2007-0109

Jan 5, 2007

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core 2.0.2 - 2.0.5 - Sensitive Information Disclosure

5.3

CVE-2006-4743

Jan 5, 2007

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 1.5.2 - Full Path Disclosure

5.3

CVE-2005-4463

Aug 14, 2006

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 2.0.4 - Full Path Disclosure

5.3

CVE-2006-3390

Jul 29, 2006

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core < 2.0.3 - IP Address Spoofing

5.3

CVE-2006-2702

Jun 1, 2006

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

WordPress Core < 1.5.1.3 - Arbitrary Email Content Change

5.3

CVE-2005-2109

Jun 29, 2005

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

WordPress Core < 1.5.1 - Full Path Disclosure

5.3

CVE-2005-1688

May 9, 2005

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WordPress Core <= 1.2 - HTTP Response Splitting

5.3

CVE-2004-1584

Oct 6, 2004

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

WordPress Core < 4.5 - Server-Side Request Forgery

5.0

CVE-2016-4029

Sep 29, 2016

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

WordPress Core < 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via use of the_meta(); function

4.9

CVE ID Unknown

Aug 30, 2022

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.8.2 - Directory Traversal via Customizer

4.9

CVE-2017-14722

Sep 19, 2017

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

WordPress Core < 4.7.3 - Arbitrary File Deletion

4.9

CVE-2017-6816

Mar 6, 2017

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Title	CVE ID	CVSS	Vector	Date
WordPress Core & WordPress MU < 2.8.1 - Username Enumeration	CVE-2009-2335	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	July 9, 2009
WordPress Core & WordPress MU < 2.8.1 - Username Enumeration	CVE-2009-2336	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	July 9, 2009
WordPress Core < 2.8 - Sensitive Information Disclosure	CVE-2009-2431	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	June 11, 2009
WordPress Core < 2.7 - Denial of Service	CVE-2008-6767	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	December 22, 2008
WordPress Core < 2.5 - Full Path Disclosure	CVE-2008-0191	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	December 16, 2007
WordPress Core < 2.2.3 - Restriction Bypass	CVE-2008-2146	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	September 8, 2007
WordPress Core < 2.1 - Full Path Disclosure	CVE-2008-0195	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	January 22, 2007
WordPress Core < 2.0.7 - Full Path Disclosure	CVE-2007-0262	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	January 15, 2007
WordPress < 2.0.6 - Username Enumeration via Error Messages	CVE-2007-0109	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	January 5, 2007
WordPress Core 2.0.2 - 2.0.5 - Sensitive Information Disclosure	CVE-2006-4743	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	January 5, 2007
WordPress Core < 1.5.2 - Full Path Disclosure	CVE-2005-4463	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	August 14, 2006
WordPress Core < 2.0.4 - Full Path Disclosure	CVE-2006-3390	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	July 29, 2006
WordPress Core < 2.0.3 - IP Address Spoofing	CVE-2006-2702	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	June 1, 2006
WordPress Core < 1.5.1.3 - Arbitrary Email Content Change	CVE-2005-2109	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	June 29, 2005
WordPress Core < 1.5.1 - Full Path Disclosure	CVE-2005-1688	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	May 9, 2005
WordPress Core <= 1.2 - HTTP Response Splitting	CVE-2004-1584	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	October 6, 2004
WordPress Core < 4.5 - Server-Side Request Forgery	CVE-2016-4029	5.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N	September 29, 2016
WordPress Core < 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via use of the_meta(); function		4.9	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N	August 30, 2022
WordPress Core < 4.8.2 - Directory Traversal via Customizer	CVE-2017-14722	4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N	September 19, 2017
WordPress Core < 4.7.3 - Arbitrary File Deletion	CVE-2017-6816	4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N	March 6, 2017

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation