Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
wordpress wordpress 5.0 vulnerabilities and exploits
(subscribe to this query)
6.5
CVSSv2
CVE-2019-8942
WordPress prior to 4.9.9 and 5.x prior to 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by upl...
Wordpress Wordpress 5.0
Wordpress Wordpress
Debian Debian Linux 9.0
2 EDB exploits
7 Github repositories
4
CVSSv2
CVE-2019-8943
WordPress up to and including 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with th...
Wordpress Wordpress
2 EDB exploits
9 Github repositories
10
CVSSv2
CVE-2008-4796
The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and previous versions, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote malicious users to execute arbitrary commands vi...
Snoopy Project Snoopy
Debian Debian Linux 4.0
Debian Debian Linux 5.0
Nagios Nagios
Wordpress Wordpress
7.5
CVSSv2
CVE-2018-20148
In WordPress prior to 4.9.9 and 5.x prior to 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-i...
Wordpress Wordpress
Debian Debian Linux 8.0
Debian Debian Linux 9.0
2 Github repositories
3.5
CVSSv2
CVE-2018-20149
In WordPress prior to 4.9.9 and 5.x prior to 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.
Wordpress Wordpress
Debian Debian Linux 9.0
Debian Debian Linux 8.0
5
CVSSv2
CVE-2018-20151
In WordPress prior to 4.9.9 and 5.x prior to 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was...
Wordpress Wordpress
Debian Debian Linux 9.0
Debian Debian Linux 8.0
5.5
CVSSv2
CVE-2018-20147
In WordPress prior to 4.9.9 and 5.x prior to 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.
Wordpress Wordpress
Debian Debian Linux 9.0
Debian Debian Linux 8.0
4.3
CVSSv2
CVE-2018-20150
In WordPress prior to 4.9.9 and 5.x prior to 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins.
Wordpress Wordpress
Debian Debian Linux 8.0
Debian Debian Linux 9.0
4
CVSSv2
CVE-2018-20152
In WordPress prior to 4.9.9 and 5.x prior to 5.0.1, authors could bypass intended restrictions on post types via crafted input.
Wordpress Wordpress
Debian Debian Linux 8.0
Debian Debian Linux 9.0
3.5
CVSSv2
CVE-2018-20153
In WordPress prior to 4.9.9 and 5.x prior to 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.
Wordpress Wordpress
Debian Debian Linux 8.0
Debian Debian Linux 9.0
1 Github repository
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-21991
CVE-2024-32674
path traversal
CVE-2023-21987
denial of service
dos
CVE-2024-4647
CVE-2024-25519
CVE-2024-33612
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
NEXT »