WordPress Core Vulnerabilities

🦸 Calling all superheroes! Introducing the WordPress Superhero Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities! Through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200. Check out the updated bounties here!

Wordfence Intelligence > Vulnerability Database > WordPress Core

Showing 161-180 of 362 WordPress Core vulnerabilities

Submit a Vulnerability

WordPress Core < 4.7.3 - Cross-Site Scripting via Taxonomy names

6.4

CVE-2017-6818

Mar 6, 2017

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.5.3 - Cross-Site Scripting via Attachment Name #2

6.4

CVE-2016-5833

Jun 18, 2016

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.5.3 - Cross-Site Scripting via Attachment Name

6.4

CVE-2016-5834

Jun 18, 2016

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.5.2 - Cross-Site Scripting via MediaElement.js

6.4

CVE-2016-4567

May 6, 2016

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.5 - Cross-Site Scripting via Network Settings Page

6.4

CVE-2016-6634

Apr 12, 2016

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.4.2 - Server-Side Request Forgery

6.4

CVE-2016-2222

Feb 2, 2016

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.3.1 - Cross-Site Scripting via Shortcodes

6.4

CVE-2015-5714

Sep 15, 2015

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.3.1 - Authenticated Cross-Site Scripting

6.4

CVE-2015-7989

Sep 15, 2015

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2015-5622

Jul 23, 2015

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Twenty Fifteen Theme <= 1.1 & WordPress Core < 4.2.2 - Cross-Site Scripting via example.html

6.4

CVE-2015-3429

Apr 8, 2015

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.0.1 - Cross-Site Scripting via CSS

6.4

CVE-2014-9036

Nov 20, 2014

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.0.1 - Cross-Site Scripting via Shortcode Brackets

6.4

CVE-2014-9031

Nov 20, 2014

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.0.1 - Cross-Site Scripting

6.4

CVE-2014-9035

Nov 20, 2014

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 3.6.1 - .swf and .exe File Upload

6.4

CVE-2013-5739

Sep 11, 2013

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 3.6.1 - HTML File Upload

6.4

CVE-2013-5738

Sep 11, 2013

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 3.5.2 - Cross-Site Scripting via Multiple Vectors

6.4

CVE-2013-2201

Jun 21, 2013

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 3.5.2 - Cross-Site Scripting

6.4

CVE-2013-2205

Jun 21, 2013

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 3.5.1 - Cross-Site Scripting

6.4

CVE-2013-0237

Jan 24, 2013

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 3.5.1 - Stored Cross-Site Scripting

6.4

CVE-2013-0236

Jan 24, 2013

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 3.4.2 - Cross-Site Scripting

6.4

CVE-2012-3383

Sep 6, 2012

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
WordPress Core < 4.7.3 - Cross-Site Scripting via Taxonomy names	CVE-2017-6818	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	March 6, 2017
WordPress Core < 4.5.3 - Cross-Site Scripting via Attachment Name #2	CVE-2016-5833	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	June 18, 2016
WordPress Core < 4.5.3 - Cross-Site Scripting via Attachment Name	CVE-2016-5834	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	June 18, 2016
WordPress Core < 4.5.2 - Cross-Site Scripting via MediaElement.js	CVE-2016-4567	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 6, 2016
WordPress Core < 4.5 - Cross-Site Scripting via Network Settings Page	CVE-2016-6634	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 12, 2016
WordPress Core < 4.4.2 - Server-Side Request Forgery	CVE-2016-2222	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	February 2, 2016
WordPress Core < 4.3.1 - Cross-Site Scripting via Shortcodes	CVE-2015-5714	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 15, 2015
WordPress Core < 4.3.1 - Authenticated Cross-Site Scripting	CVE-2015-7989	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 15, 2015
WordPress Core < 4.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2015-5622	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	July 23, 2015
Twenty Fifteen Theme <= 1.1 & WordPress Core < 4.2.2 - Cross-Site Scripting via example.html	CVE-2015-3429	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 8, 2015
WordPress Core < 4.0.1 - Cross-Site Scripting via CSS	CVE-2014-9036	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	November 20, 2014
WordPress Core < 4.0.1 - Cross-Site Scripting via Shortcode Brackets	CVE-2014-9031	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	November 20, 2014
WordPress Core < 4.0.1 - Cross-Site Scripting	CVE-2014-9035	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	November 20, 2014
WordPress Core < 3.6.1 - .swf and .exe File Upload	CVE-2013-5739	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 11, 2013
WordPress Core < 3.6.1 - HTML File Upload	CVE-2013-5738	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 11, 2013
WordPress Core < 3.5.2 - Cross-Site Scripting via Multiple Vectors	CVE-2013-2201	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	June 21, 2013
WordPress Core < 3.5.2 - Cross-Site Scripting	CVE-2013-2205	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	June 21, 2013
WordPress Core < 3.5.1 - Cross-Site Scripting	CVE-2013-0237	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	January 24, 2013
WordPress Core < 3.5.1 - Stored Cross-Site Scripting	CVE-2013-0236	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	January 24, 2013
WordPress Core < 3.4.2 - Cross-Site Scripting	CVE-2012-3383	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 6, 2012

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation