The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of WP

vulnerability announce CVE-2018-12895

WordPress Core: file deletion via Author Delete

Synthesis of the vulnerability

An attacker can generate a fatal error via Author Delete of WordPress Core, in order to trigger a denial of service.
Severity: 2/4.
Creation date: 27/06/2018.
Identifiers: CVE-2018-12895, DLA-1452-1, DSA-4250-1, FEDORA-2018-623df1e98d, VIGILANCE-VUL-26554.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can generate a fatal error via Author Delete of WordPress Core, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2018-10100 CVE-2018-10101 CVE-2018-10102

WordPress: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of WordPress.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 04/04/2018.
Identifiers: CERTFR-2018-AVI-167, CVE-2018-10100, CVE-2018-10101, CVE-2018-10102, DLA-1366-1, DSA-4193-1, VIGILANCE-VUL-25774.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can use several vulnerabilities of WordPress.
Full Vigil@nce bulletin... (Free trial)

cybersecurity alert CVE-2018-6389

WordPress Core: denial of service via load-scripts.php

Synthesis of the vulnerability

An attacker can generate an overload via load-scripts.php of WordPress Core, in order to trigger a denial of service.
Severity: 1/4.
Creation date: 06/02/2018.
Identifiers: CVE-2018-6389, VIGILANCE-VUL-25228.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can generate an overload via load-scripts.php of WordPress Core, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

weakness 25099

WordPress: Cross Site Scripting via MediaElement Flash Fallback

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via MediaElement Flash Fallback of WordPress, in order to run JavaScript code in the context of the web site.
Severity: 2/4.
Creation date: 17/01/2018.
Identifiers: CERTFR-2018-AVI-034, VIGILANCE-VUL-25099.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The WordPress product offers a web service.

However, it does not filter received data via MediaElement Flash Fallback before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via MediaElement Flash Fallback of WordPress, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

cybersecurity weakness CVE-2017-17091 CVE-2017-17092 CVE-2017-17093

WordPress Core: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of WordPress Core.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 30/11/2017.
Identifiers: CERTFR-2017-AVI-438, CVE-2017-17091, CVE-2017-17092, CVE-2017-17093, CVE-2017-17094, DLA-1216-1, DSA-4090-1, FEDORA-2017-15ce66d344, FEDORA-2017-994ff5ced8, VIGILANCE-VUL-24595.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can use several vulnerabilities of WordPress Core.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2017-16510

WordPress Core: SQL injection via wpdb-prepare

Synthesis of the vulnerability

An attacker can use a SQL injection via wpdb-prepare of WordPress Core, in order to read or alter data.
Severity: 2/4.
Creation date: 31/10/2017.
Identifiers: CERTFR-2017-AVI-388, CVE-2017-16510, DLA-1160-1, DSA-4090-1, FEDORA-2017-6fd6877975, FEDORA-2017-9d0ff8d851, VIGILANCE-VUL-24278.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can use a SQL injection via wpdb-prepare of WordPress Core, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

weakness CVE-2016-9263

WordPress Core: Cross Site Scripting via flashmediaelement.swf

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via flashmediaelement.swf of WordPress Core, in order to run JavaScript code in the context of the web site.
Severity: 2/4.
Creation date: 13/10/2017.
Identifiers: CVE-2016-9263, DLA-1151-1, DLA-1151-2, VIGILANCE-VUL-24131.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can trigger a Cross Site Scripting via flashmediaelement.swf of WordPress Core, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

threat CVE-2017-14990

WordPress Core: privilege escalation via wp_signups.activation_key

Synthesis of the vulnerability

An attacker can bypass restrictions via wp_signups.activation_key of WordPress, in order to escalate his privileges.
Severity: 2/4.
Creation date: 03/10/2017.
Identifiers: 38474, CVE-2017-14990, DLA-1151-1, DLA-1151-2, DSA-3997-1, VIGILANCE-VUL-24012.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can bypass restrictions via wp_signups.activation_key of WordPress, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer weakness note CVE-2017-14718 CVE-2017-14719 CVE-2017-14720

WordPress Core: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of WordPress Core.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 9.
Creation date: 20/09/2017.
Identifiers: CERTFR-2017-AVI-312, CVE-2017-14718, CVE-2017-14719, CVE-2017-14720, CVE-2017-14721, CVE-2017-14722, CVE-2017-14723, CVE-2017-14724, CVE-2017-14725, CVE-2017-14726, DLA-1151-1, DLA-1151-2, DSA-3997-1, VIGILANCE-VUL-23884.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can use several vulnerabilities of WordPress Core.
Full Vigil@nce bulletin... (Free trial)

security vulnerability CVE-2017-9061 CVE-2017-9062 CVE-2017-9063

WordPress Core: six vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of WordPress.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 6.
Creation date: 17/05/2017.
Identifiers: CERTFR-2017-AVI-157, CVE-2017-9061, CVE-2017-9062, CVE-2017-9063, CVE-2017-9064, CVE-2017-9065, CVE-2017-9066, DLA-1075-1, DLA-975-1, DSA-3870-1, DSA-4090-1, FEDORA-2017-46fcfd8c98, FEDORA-2017-d968f5a95f, FEDORA-2017-fe7c3c9c30, VIGILANCE-VUL-22750.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in WordPress.

An attacker can deceive the user via HTTP Class, in order to redirect him to a malicious site. [severity:1/4; CVE-2017-9066]

An attacker can bypass security features via XML-RPC API, in order to obtain sensitive information. [severity:2/4; CVE-2017-9065]

An attacker can bypass security features via XML-RPC API, in order to escalate his privileges. [severity:2/4; CVE-2017-9062]

An attacker can trigger a Cross Site Request Forgery via Filesystem Credentials Dialog, in order to force the victim to perform operations (VIGILANCE-VUL-22527). [severity:2/4; CVE-2017-9064]

An attacker can trigger a Cross Site Scripting via Large Files Upload, in order to run JavaScript code in the context of the web site. [severity:2/4; CVE-2017-9061]

An attacker can trigger a Cross Site Scripting via Customizer, in order to run JavaScript code in the context of the web site. [severity:2/4; CVE-2017-9063]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about WP: