Published: 16/04/2018 Updated: 07/03/2019
CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8
VMScore: 516
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Vulnerability Summary

Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.

Vendor Advisories

Debian Bug report logs - #895034 wordpress: CVE-2018-10100 CVE-2018-10101 CVE-2018-10102 Package: src:wordpress; Maintainer for src:wordpress is Craig Small <csmall@debianorg>; Reported by: Craig Small <csmall@debianorg> Date: Fri, 6 Apr 2018 12:30:01 UTC Severity: grave Tags: fixed-upstream, security, upstream F ...
Several vulnerabilities were discovered in wordpress, a web blogging tool, which could allow remote attackers to compromise a site via cross-site scripting, bypass restrictions or unsafe redirects More information can be found in the upstream advisory at wordpressorg/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/ For the o ...

Github Repositories

Project 7 - WordPress Pentesting Time spent: 12 hours spent in total Objective: Find, analyze, recreate, and document five vulnerabilities affecting an old version of WordPress Pentesting Report WordPress <= 42 - Unauthenticated Stored Cross-Site Scripting (XSS) Summary: Vulnerability types: XSS Tested in version: 42 Fixed in version: 421 Exploit Database 3684