All the vulnerabilites related to WordPress.org - WordPress
cve-2022-43497
Vulnerability from cvelistv5
Published
2022-12-05 00:00
Modified
2025-04-24 14:09
Severity ?
EPSS score ?
Summary
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WordPress.org | WordPress |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:32:59.252Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/download/"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN09409909/index.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43497",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T14:09:53.043303Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T14:09:56.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WordPress",
"vendor": "WordPress.org",
"versions": [
{
"status": "affected",
"version": "versions prior to 6.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-02T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://wordpress.org/download/"
},
{
"url": "https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/"
},
{
"url": "https://jvn.jp/en/jp/JVN09409909/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-43497",
"datePublished": "2022-12-05T00:00:00.000Z",
"dateReserved": "2022-10-22T00:00:00.000Z",
"dateUpdated": "2025-04-24T14:09:56.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-43504
Vulnerability from cvelistv5
Published
2022-12-05 00:00
Modified
2025-04-24 14:04
Severity ?
EPSS score ?
Summary
Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WordPress.org | WordPress |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:32:59.652Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/download/"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN09409909/index.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43504",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T14:04:12.331568Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T14:04:17.689Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WordPress",
"vendor": "WordPress.org",
"versions": [
{
"status": "affected",
"version": "versions prior to 6.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper authentication",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-02T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://wordpress.org/download/"
},
{
"url": "https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/"
},
{
"url": "https://jvn.jp/en/jp/JVN09409909/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-43504",
"datePublished": "2022-12-05T00:00:00.000Z",
"dateReserved": "2022-10-22T00:00:00.000Z",
"dateUpdated": "2025-04-24T14:04:17.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-43500
Vulnerability from cvelistv5
Published
2022-12-05 00:00
Modified
2025-04-24 14:06
Severity ?
EPSS score ?
Summary
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WordPress.org | WordPress |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:32:59.666Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/download/"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN09409909/index.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T14:06:13.924261Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T14:06:16.807Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WordPress",
"vendor": "WordPress.org",
"versions": [
{
"status": "affected",
"version": "versions prior to 6.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-02T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://wordpress.org/download/"
},
{
"url": "https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/"
},
{
"url": "https://jvn.jp/en/jp/JVN09409909/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-43500",
"datePublished": "2022-12-05T00:00:00.000Z",
"dateReserved": "2022-10-22T00:00:00.000Z",
"dateUpdated": "2025-04-24T14:06:16.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-38000
Vulnerability from cvelistv5
Published
2023-10-13 09:55
Modified
2024-08-02 17:23
Severity ?
EPSS score ?
Summary
Auth. Stored Cross-Site Scripting (XSS) vulnerability in WordPress core and Gutenberg plugin via Navigation Links Block
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WordPress.org | WordPress | |
| Gutenberg Team | Gutenberg |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:27.829Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://patchstack.com/articles/wordpress-core-6-3-2-security-update-technical-advisory?_s_id=cve"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-core-6-3-2-contributor-stored-xss-in-navigation-links-block-vulnerability?_s_id=cve"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/gutenberg/wordpress-gutenberg-plugin-16-8-0-contributor-stored-xss-in-navigation-links-block-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress",
"vendor": "WordPress.org",
"versions": [
{
"changes": [
{
"at": "6.3.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.3.1",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.2.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.2.2",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.1.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.1.3",
"status": "affected",
"version": "6.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.0.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.0.5",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.9.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.9.7",
"status": "affected",
"version": "5.9",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "gutenberg",
"product": "Gutenberg",
"vendor": "Gutenberg Team",
"versions": [
{
"changes": [
{
"at": "16.8.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "16.8.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Edouard Lamoine (Patchstack)"
}
],
"datePublic": "2023-10-13T05:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003e6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin \u0026lt;= 16.8.0 versions.\u003c/span\u003e"
}
],
"value": "Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core\u00a06.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin \u003c= 16.8.0 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-13T10:34:00.870Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://patchstack.com/articles/wordpress-core-6-3-2-security-update-technical-advisory?_s_id=cve"
},
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-core-6-3-2-contributor-stored-xss-in-navigation-links-block-vulnerability?_s_id=cve"
},
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/gutenberg/wordpress-gutenberg-plugin-16-8-0-contributor-stored-xss-in-navigation-links-block-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update WordPress core to the 6.3.2,\u0026nbsp;6.2.3,\u0026nbsp;6.1.4,\u0026nbsp;6.0.6,\u0026nbsp;5.9.8 or a higher version."
}
],
"value": "Update WordPress core to the 6.3.2,\u00a06.2.3,\u00a06.1.4,\u00a06.0.6,\u00a05.9.8 or a higher version."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update\u0026nbsp;Gutenberg to\u0026nbsp;16.8.1 or a higher version."
}
],
"value": "Update\u00a0Gutenberg to\u00a016.8.1 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Auth. Stored Cross-Site Scripting (XSS) vulnerability in WordPress core and Gutenberg plugin via Navigation Links Block",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-38000",
"datePublished": "2023-10-13T09:55:54.690Z",
"dateReserved": "2023-07-11T12:50:13.630Z",
"dateUpdated": "2024-08-02T17:23:27.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-39999
Vulnerability from cvelistv5
Published
2023-10-13 11:31
Modified
2025-02-13 17:03
Severity ?
EPSS score ?
Summary
WordPress < 6.3.2 is vulnerable to Broken Access Control
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WordPress.org | WordPress |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:18:10.210Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://patchstack.com/articles/wordpress-core-6-3-2-security-update-technical-advisory?_s_id=cve"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-wordpress-core-core-6-3-2-contributor-comment-read-on-private-and-password-protected-post-vulnerability?_s_id=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EVFT4DPZRFTXJPEPADM22BZVIUD2P66/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQBL4ZQCBFNQ76XHM5257CIBFQRGT5QY/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCCVDPKOK57WCTH2QJ5DJM3B53RJNZKA/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00014.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress",
"vendor": "WordPress.org",
"versions": [
{
"changes": [
{
"at": "6.3.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.3.1",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.2.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.2.2",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.1.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.13",
"status": "affected",
"version": "6.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.0.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.0.5",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.9.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.9.7",
"status": "affected",
"version": "5.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.8.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.8.7",
"status": "affected",
"version": "5.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.7.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.7.9",
"status": "affected",
"version": "5.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.6.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.6.11",
"status": "affected",
"version": "5.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.5.13",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.5.12",
"status": "affected",
"version": "5.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.4.14",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.4.13",
"status": "affected",
"version": "5.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.3.16",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.3.15",
"status": "affected",
"version": "5.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.2.19",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.2.18",
"status": "affected",
"version": "5.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.1.17",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.1.16",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.0.20",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.0.19",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.9.24",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.9.23",
"status": "affected",
"version": "4.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.8.23",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.8.22",
"status": "affected",
"version": "4.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.7.27",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.7.26",
"status": "affected",
"version": "4.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.6.27",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.6.26",
"status": "affected",
"version": "4.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.5.30",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.5.29",
"status": "affected",
"version": "4.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.4.31",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.4.30",
"status": "affected",
"version": "4.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.3.32",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.3.31",
"status": "affected",
"version": "4.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.2.36",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.2.35",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.1.39",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.1.38",
"status": "affected",
"version": "4.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jb Audras (WordPress Security Team)"
}
],
"datePublic": "2023-10-13T05:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor in WordPress\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38.\u003c/span\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor in WordPress\u00a0from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-20T23:06:12.283Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://patchstack.com/articles/wordpress-core-6-3-2-security-update-technical-advisory?_s_id=cve"
},
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-wordpress-core-core-6-3-2-contributor-comment-read-on-private-and-password-protected-post-vulnerability?_s_id=cve"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EVFT4DPZRFTXJPEPADM22BZVIUD2P66/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQBL4ZQCBFNQ76XHM5257CIBFQRGT5QY/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCCVDPKOK57WCTH2QJ5DJM3B53RJNZKA/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00014.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to suitable (6.3.2,\u0026nbsp;6.2.3, 6.1.4, 6.0.6, 5.9.8, 5.8.8, 5.7.10, 5.6.12, 5.5.13, 5.4.14, 5.3.16, 5.2.19, 5.1.17, 5.0.20, 4.9.24, 4.8.23, 4.7.27, 4.6.27, 4.5.30, 4.4.31, 4.3.32, 4.2.36, 4.1.39) or a higher version."
}
],
"value": "Update to suitable (6.3.2,\u00a06.2.3, 6.1.4, 6.0.6, 5.9.8, 5.8.8, 5.7.10, 5.6.12, 5.5.13, 5.4.14, 5.3.16, 5.2.19, 5.1.17, 5.0.20, 4.9.24, 4.8.23, 4.7.27, 4.6.27, 4.5.30, 4.4.31, 4.3.32, 4.2.36, 4.1.39) or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress \u003c 6.3.2 is vulnerable to Broken Access Control",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-39999",
"datePublished": "2023-10-13T11:31:16.977Z",
"dateReserved": "2023-08-08T11:43:05.859Z",
"dateUpdated": "2025-02-13T17:03:20.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
jvndb-2012-002110
Vulnerability from jvndb
Published
2013-07-26 13:33
Modified
2013-07-26 13:33
Summary
WordPress vulnerable to cross-site scripting
Details
WordPress contains a cross-site scripting vulnerability due to an issue in the SWFUpload library.
ma.la reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/jp/JVN25280162/ | |
| CVE | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2399 | |
| NVD | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2399 | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WordPress.org | WordPress |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2012/JVNDB-2012-002110.html",
"dc:date": "2013-07-26T13:33+09:00",
"dcterms:issued": "2013-07-26T13:33+09:00",
"dcterms:modified": "2013-07-26T13:33+09:00",
"description": "WordPress contains a cross-site scripting vulnerability due to an issue in the SWFUpload library.\r\n\r\nma.la reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2012/JVNDB-2012-002110.html",
"sec:cpe": {
"#text": "cpe:/a:wordpress:wordpress",
"@product": "WordPress",
"@vendor": "WordPress.org",
"@version": "2.2"
},
"sec:cvss": {
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2012-002110",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN25280162/",
"@id": "JVN#25280162",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2399",
"@id": "CVE-2012-2399",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2399",
"@id": "CVE-2012-2399",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "WordPress vulnerable to cross-site scripting"
}
jvndb-2011-000110
Vulnerability from jvndb
Published
2011-12-26 14:26
Modified
2011-12-26 14:26
Summary
WordPress Japanese vulnerable to cross-site scripting
Details
WordPress Japanese contains a cross-site scripting vulnerability.
WordPress provided by WordPress.Org is a weblog system. WordPress Japanese contains a cross-site scripting vulnerability.
Katsuhiro Kawahara, Kozo Fukui of Kobe Digital Labo.,Inc. and Yuya Yoshida of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN44439553/index.html | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WordPress.org | WordPress |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000110.html",
"dc:date": "2011-12-26T14:26+09:00",
"dcterms:issued": "2011-12-26T14:26+09:00",
"dcterms:modified": "2011-12-26T14:26+09:00",
"description": "WordPress Japanese contains a cross-site scripting vulnerability.\r\n\r\nWordPress provided by WordPress.Org is a weblog system. WordPress Japanese contains a cross-site scripting vulnerability.\r\n\r\nKatsuhiro Kawahara, Kozo Fukui of Kobe Digital Labo.,Inc. and Yuya Yoshida of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000110.html",
"sec:cpe": {
"#text": "cpe:/a:wordpress:wordpress",
"@product": "WordPress",
"@vendor": "WordPress.org",
"@version": "2.2"
},
"sec:cvss": {
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2011-000110",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN44439553/index.html",
"@id": "JVN#44439553",
"@source": "JVN"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "WordPress Japanese vulnerable to cross-site scripting"
}
jvndb-2022-000087
Vulnerability from jvndb
Published
2022-11-08 14:59
Modified
2024-06-06 16:27
Severity ?
Summary
Multiple vulnerabilities in WordPress
Details
WordPress contains multiple vulnerabilities listed below which are to the WordPress Post by Email Feature.
<ul><li>Stored Cross-site scripting (CWE-79) - CVE-2022-43497</li><li>Stored Cross-site scripting (CWE-79) - CVE-2022-43500</li><li>Improper authentication (CWE-287) - CVE-2022-43504</li></ul>
Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WordPress.org | WordPress |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000087.html",
"dc:date": "2024-06-06T16:27+09:00",
"dcterms:issued": "2022-11-08T14:59+09:00",
"dcterms:modified": "2024-06-06T16:27+09:00",
"description": "WordPress contains multiple vulnerabilities listed below which are to the WordPress Post by Email Feature.\r\n\u003cul\u003e\u003cli\u003eStored Cross-site scripting (CWE-79) - CVE-2022-43497\u003c/li\u003e\u003cli\u003eStored Cross-site scripting (CWE-79) - CVE-2022-43500\u003c/li\u003e\u003cli\u003eImproper authentication (CWE-287) - CVE-2022-43504\u003c/li\u003e\u003c/ul\u003e\r\nToshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000087.html",
"sec:cpe": {
"#text": "cpe:/a:wordpress:wordpress",
"@product": "WordPress",
"@vendor": "WordPress.org",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"@version": "2.0"
},
{
"@score": "5.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2022-000087",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN09409909/index.html",
"@id": "JVN#09409909",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-43497",
"@id": "CVE-2022-43497",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-43500",
"@id": "CVE-2022-43500",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-43504",
"@id": "CVE-2022-43504",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-43497",
"@id": "CVE-2022-43497",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-43500",
"@id": "CVE-2022-43500",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-43504",
"@id": "CVE-2022-43504",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-287",
"@title": "Improper Authentication(CWE-287)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple vulnerabilities in WordPress"
}
jvndb-2011-000109
Vulnerability from jvndb
Published
2011-12-26 14:28
Modified
2011-12-26 14:28
Summary
WordPress vulnerable to arbitrary PHP code execution
Details
WordPress contains a vulnerability where arbitrary PHP code may be executed.
WordPress provided by WordPress.Org is a weblog system. WordPress contains a vulnerability where arbitrary PHP code may be executed.
Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN40498018/index.html | |
| Code Injection(CWE-94) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WordPress.org | WordPress |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000109.html",
"dc:date": "2011-12-26T14:28+09:00",
"dcterms:issued": "2011-12-26T14:28+09:00",
"dcterms:modified": "2011-12-26T14:28+09:00",
"description": "WordPress contains a vulnerability where arbitrary PHP code may be executed.\r\n\r\nWordPress provided by WordPress.Org is a weblog system. WordPress contains a vulnerability where arbitrary PHP code may be executed.\r\n\r\nTakeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000109.html",
"sec:cpe": {
"#text": "cpe:/a:wordpress:wordpress",
"@product": "WordPress",
"@vendor": "WordPress.org",
"@version": "2.2"
},
"sec:cvss": {
"@score": "6.5",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2011-000109",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN40498018/index.html",
"@id": "JVN#40498018",
"@source": "JVN"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-94",
"@title": "Code Injection(CWE-94)"
}
],
"title": "WordPress vulnerable to arbitrary PHP code execution"
}