The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of WordPress Core

computer vulnerability bulletin CVE-2019-9787

WordPress Core: Cross Site Scripting via Comments

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Comments of WordPress Core, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, WordPress Core.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 13/03/2019.
Identifiers: CERTFR-2019-AVI-100, CVE-2019-9787, DLA-1742-1, VIGILANCE-VUL-28738.

Description of the vulnerability

The Core plugin can be installed on WordPress.

However, it does not filter received data via Comments before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Comments of WordPress Core, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2019-8943

WordPress Core: directory traversal via wp_crop_image

Synthesis of the vulnerability

An attacker can traverse directories via wp_crop_image() of WordPress Core, in order to create a file outside the service root path.
Impacted products: WordPress Core.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 20/02/2019.
Identifiers: CVE-2019-8943, VIGILANCE-VUL-28561.

Description of the vulnerability

An attacker can traverse directories via wp_crop_image() of WordPress Core, in order to create a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-1000600 CVE-2018-1000773

WordPress Core: code execution via PHAR Thumbnail Upload

Synthesis of the vulnerability

An attacker can use a vulnerability via PHAR Thumbnail Upload of WordPress Core, in order to run code.
Impacted products: WordPress Core.
Severity: 2/4.
Consequences: user access/rights.
Provenance: user account.
Number of vulnerabilities in this bulletin: 2.
Creation date: 07/09/2018.
Identifiers: CVE-2017-1000600, CVE-2018-1000773, VIGILANCE-VUL-27177.

Description of the vulnerability

An attacker can use a vulnerability via PHAR Thumbnail Upload of WordPress Core, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 26644

WordPress Core: denial of service via Media Upload File Deletion

Synthesis of the vulnerability

An attacker can generate a fatal error via Media Upload File Deletion of WordPress Core, in order to trigger a denial of service.
Impacted products: WordPress Core.
Severity: 2/4.
Consequences: data deletion, denial of service on service.
Provenance: user account.
Creation date: 06/07/2018.
Identifiers: CERTFR-2018-AVI-327, VIGILANCE-VUL-26644.

Description of the vulnerability

An attacker can generate a fatal error via Media Upload File Deletion of WordPress Core, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2018-12895

WordPress Core: file deletion via Author Delete

Synthesis of the vulnerability

An attacker can generate a fatal error via Author Delete of WordPress Core, in order to trigger a denial of service.
Impacted products: Debian, Fedora, WordPress Core.
Severity: 2/4.
Consequences: data deletion.
Provenance: privileged account.
Creation date: 27/06/2018.
Identifiers: CVE-2018-12895, DLA-1452-1, DSA-4250-1, FEDORA-2018-623df1e98d, VIGILANCE-VUL-26554.

Description of the vulnerability

An attacker can generate a fatal error via Author Delete of WordPress Core, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2018-10100 CVE-2018-10101 CVE-2018-10102

WordPress: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of WordPress.
Impacted products: Debian, WordPress Core.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 04/04/2018.
Identifiers: CERTFR-2018-AVI-167, CVE-2018-10100, CVE-2018-10101, CVE-2018-10102, DLA-1366-1, DSA-4193-1, VIGILANCE-VUL-25774.

Description of the vulnerability

An attacker can use several vulnerabilities of WordPress.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2018-6389

WordPress Core: denial of service via load-scripts.php

Synthesis of the vulnerability

An attacker can generate an overload via load-scripts.php of WordPress Core, in order to trigger a denial of service.
Impacted products: WordPress Core.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service.
Provenance: internet client.
Creation date: 06/02/2018.
Identifiers: CVE-2018-6389, VIGILANCE-VUL-25228.

Description of the vulnerability

An attacker can generate an overload via load-scripts.php of WordPress Core, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 25099

WordPress: Cross Site Scripting via MediaElement Flash Fallback

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via MediaElement Flash Fallback of WordPress, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Core.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 17/01/2018.
Identifiers: CERTFR-2018-AVI-034, VIGILANCE-VUL-25099.

Description of the vulnerability

The WordPress product offers a web service.

However, it does not filter received data via MediaElement Flash Fallback before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via MediaElement Flash Fallback of WordPress, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2017-17091 CVE-2017-17092 CVE-2017-17093

WordPress Core: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of WordPress Core.
Impacted products: Debian, Fedora, WordPress Core.
Severity: 3/4.
Consequences: user access/rights, data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 30/11/2017.
Identifiers: CERTFR-2017-AVI-438, CVE-2017-17091, CVE-2017-17092, CVE-2017-17093, CVE-2017-17094, DLA-1216-1, DSA-4090-1, FEDORA-2017-15ce66d344, FEDORA-2017-994ff5ced8, VIGILANCE-VUL-24595.

Description of the vulnerability

An attacker can use several vulnerabilities of WordPress Core.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2017-16510

WordPress Core: SQL injection via wpdb-prepare

Synthesis of the vulnerability

An attacker can use a SQL injection via wpdb-prepare of WordPress Core, in order to read or alter data.
Impacted products: Debian, Fedora, WordPress Core.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 31/10/2017.
Identifiers: CERTFR-2017-AVI-388, CVE-2017-16510, DLA-1160-1, DSA-4090-1, FEDORA-2017-6fd6877975, FEDORA-2017-9d0ff8d851, VIGILANCE-VUL-24278.

Description of the vulnerability

An attacker can use a SQL injection via wpdb-prepare of WordPress Core, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about WordPress Core: