Refine your search
6 vulnerabilities found for by WordPress.org
CVE-2025-64253 (GCVE-0-2025-64253)
Vulnerability from cvelistv5
Published
2025-12-16 08:12
Modified
2026-04-01 14:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-35 - Path Traversal: '.../...//'
Summary
Path Traversal: '.../...//' vulnerability in WordPress.org Health Check & Troubleshooting health-check allows Path Traversal.This issue affects Health Check & Troubleshooting: from n/a through <= 1.7.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPress.org | Health Check & Troubleshooting |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-64253",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T20:40:38.074430Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T20:40:43.598Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "health-check",
"product": "Health Check \u0026 Troubleshooting",
"vendor": "WordPress.org",
"versions": [
{
"lessThanOrEqual": "1.7.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PPzzAArr | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:02:29.635Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Path Traversal: \u0027.../...//\u0027 vulnerability in WordPress.org Health Check \u0026 Troubleshooting health-check allows Path Traversal.\u003cp\u003eThis issue affects Health Check \u0026 Troubleshooting: from n/a through \u003c= 1.7.1.\u003c/p\u003e"
}
],
"value": "Path Traversal: \u0027.../...//\u0027 vulnerability in WordPress.org Health Check \u0026 Troubleshooting health-check allows Path Traversal.This issue affects Health Check \u0026 Troubleshooting: from n/a through \u003c= 1.7.1."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "Path Traversal"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-35",
"description": "Path Traversal: \u0027.../...//\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:10:18.136Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/health-check/vulnerability/wordpress-health-check-troubleshooting-plugin-1-7-1-path-traversal-vulnerability?_s_id=cve"
}
],
"title": "WordPress Health Check \u0026 Troubleshooting plugin \u003c= 1.7.1 - Path Traversal vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-64253",
"datePublished": "2025-12-16T08:12:50.088Z",
"dateReserved": "2025-10-29T03:08:17.828Z",
"dateUpdated": "2026-04-01T14:10:18.136Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-39999 (GCVE-0-2023-39999)
Vulnerability from cvelistv5
Published
2023-10-13 11:31
Modified
2025-02-13 17:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPress.org | WordPress |
Version: 6.3 < Version: 6.2 < Version: 6.1 < Version: 6.0 < Version: 5.9 < Version: 5.8 < Version: 5.7 < Version: 5.6 < Version: 5.5 < Version: 5.4 < Version: 5.3 < Version: 5.2 < Version: 5.1 < Version: 5.0 < Version: 4.9 < Version: 4.8 < Version: 4.7 < Version: 4.6 < Version: 4.5 < Version: 4.4 < Version: 4.3 < Version: 4.2 < Version: 4.1 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:18:10.210Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://patchstack.com/articles/wordpress-core-6-3-2-security-update-technical-advisory?_s_id=cve"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-wordpress-core-core-6-3-2-contributor-comment-read-on-private-and-password-protected-post-vulnerability?_s_id=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EVFT4DPZRFTXJPEPADM22BZVIUD2P66/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQBL4ZQCBFNQ76XHM5257CIBFQRGT5QY/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCCVDPKOK57WCTH2QJ5DJM3B53RJNZKA/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00014.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress",
"vendor": "WordPress.org",
"versions": [
{
"changes": [
{
"at": "6.3.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.3.1",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.2.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.2.2",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.1.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.13",
"status": "affected",
"version": "6.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.0.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.0.5",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.9.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.9.7",
"status": "affected",
"version": "5.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.8.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.8.7",
"status": "affected",
"version": "5.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.7.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.7.9",
"status": "affected",
"version": "5.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.6.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.6.11",
"status": "affected",
"version": "5.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.5.13",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.5.12",
"status": "affected",
"version": "5.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.4.14",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.4.13",
"status": "affected",
"version": "5.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.3.16",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.3.15",
"status": "affected",
"version": "5.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.2.19",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.2.18",
"status": "affected",
"version": "5.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.1.17",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.1.16",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.0.20",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.0.19",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.9.24",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.9.23",
"status": "affected",
"version": "4.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.8.23",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.8.22",
"status": "affected",
"version": "4.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.7.27",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.7.26",
"status": "affected",
"version": "4.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.6.27",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.6.26",
"status": "affected",
"version": "4.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.5.30",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.5.29",
"status": "affected",
"version": "4.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.4.31",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.4.30",
"status": "affected",
"version": "4.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.3.32",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.3.31",
"status": "affected",
"version": "4.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.2.36",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.2.35",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.1.39",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.1.38",
"status": "affected",
"version": "4.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jb Audras (WordPress Security Team)"
}
],
"datePublic": "2023-10-13T05:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor in WordPress\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38.\u003c/span\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor in WordPress\u00a0from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-20T23:06:12.283Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://patchstack.com/articles/wordpress-core-6-3-2-security-update-technical-advisory?_s_id=cve"
},
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-wordpress-core-core-6-3-2-contributor-comment-read-on-private-and-password-protected-post-vulnerability?_s_id=cve"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EVFT4DPZRFTXJPEPADM22BZVIUD2P66/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQBL4ZQCBFNQ76XHM5257CIBFQRGT5QY/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCCVDPKOK57WCTH2QJ5DJM3B53RJNZKA/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00014.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to suitable (6.3.2,\u0026nbsp;6.2.3, 6.1.4, 6.0.6, 5.9.8, 5.8.8, 5.7.10, 5.6.12, 5.5.13, 5.4.14, 5.3.16, 5.2.19, 5.1.17, 5.0.20, 4.9.24, 4.8.23, 4.7.27, 4.6.27, 4.5.30, 4.4.31, 4.3.32, 4.2.36, 4.1.39) or a higher version."
}
],
"value": "Update to suitable (6.3.2,\u00a06.2.3, 6.1.4, 6.0.6, 5.9.8, 5.8.8, 5.7.10, 5.6.12, 5.5.13, 5.4.14, 5.3.16, 5.2.19, 5.1.17, 5.0.20, 4.9.24, 4.8.23, 4.7.27, 4.6.27, 4.5.30, 4.4.31, 4.3.32, 4.2.36, 4.1.39) or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress \u003c 6.3.2 is vulnerable to Broken Access Control",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-39999",
"datePublished": "2023-10-13T11:31:16.977Z",
"dateReserved": "2023-08-08T11:43:05.859Z",
"dateUpdated": "2025-02-13T17:03:20.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38000 (GCVE-0-2023-38000)
Vulnerability from cvelistv5
Published
2023-10-13 09:55
Modified
2024-08-02 17:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin <= 16.8.0 versions.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| WordPress.org | WordPress |
Version: 6.3 < Version: 6.2 < Version: 6.1 < Version: 6.0 < Version: 5.9 < |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:27.829Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://patchstack.com/articles/wordpress-core-6-3-2-security-update-technical-advisory?_s_id=cve"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-core-6-3-2-contributor-stored-xss-in-navigation-links-block-vulnerability?_s_id=cve"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/gutenberg/wordpress-gutenberg-plugin-16-8-0-contributor-stored-xss-in-navigation-links-block-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress",
"vendor": "WordPress.org",
"versions": [
{
"changes": [
{
"at": "6.3.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.3.1",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.2.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.2.2",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.1.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.1.3",
"status": "affected",
"version": "6.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.0.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.0.5",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.9.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.9.7",
"status": "affected",
"version": "5.9",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "gutenberg",
"product": "Gutenberg",
"vendor": "Gutenberg Team",
"versions": [
{
"changes": [
{
"at": "16.8.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "16.8.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Edouard Lamoine (Patchstack)"
}
],
"datePublic": "2023-10-13T05:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003e6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin \u0026lt;= 16.8.0 versions.\u003c/span\u003e"
}
],
"value": "Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core\u00a06.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin \u003c= 16.8.0 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-13T10:34:00.870Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://patchstack.com/articles/wordpress-core-6-3-2-security-update-technical-advisory?_s_id=cve"
},
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-core-6-3-2-contributor-stored-xss-in-navigation-links-block-vulnerability?_s_id=cve"
},
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/gutenberg/wordpress-gutenberg-plugin-16-8-0-contributor-stored-xss-in-navigation-links-block-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update WordPress core to the 6.3.2,\u0026nbsp;6.2.3,\u0026nbsp;6.1.4,\u0026nbsp;6.0.6,\u0026nbsp;5.9.8 or a higher version."
}
],
"value": "Update WordPress core to the 6.3.2,\u00a06.2.3,\u00a06.1.4,\u00a06.0.6,\u00a05.9.8 or a higher version."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update\u0026nbsp;Gutenberg to\u0026nbsp;16.8.1 or a higher version."
}
],
"value": "Update\u00a0Gutenberg to\u00a016.8.1 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Auth. Stored Cross-Site Scripting (XSS) vulnerability in WordPress core and Gutenberg plugin via Navigation Links Block",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-38000",
"datePublished": "2023-10-13T09:55:54.690Z",
"dateReserved": "2023-07-11T12:50:13.630Z",
"dateUpdated": "2024-08-02T17:23:27.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43504 (GCVE-0-2022-43504)
Vulnerability from cvelistv5
Published
2022-12-05 00:00
Modified
2025-04-24 14:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper authentication
Summary
Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPress.org | WordPress |
Version: versions prior to 6.0.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:32:59.652Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/download/"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN09409909/index.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43504",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T14:04:12.331568Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T14:04:17.689Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WordPress",
"vendor": "WordPress.org",
"versions": [
{
"status": "affected",
"version": "versions prior to 6.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper authentication",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-02T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://wordpress.org/download/"
},
{
"url": "https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/"
},
{
"url": "https://jvn.jp/en/jp/JVN09409909/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-43504",
"datePublished": "2022-12-05T00:00:00.000Z",
"dateReserved": "2022-10-22T00:00:00.000Z",
"dateUpdated": "2025-04-24T14:04:17.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43497 (GCVE-0-2022-43497)
Vulnerability from cvelistv5
Published
2022-12-05 00:00
Modified
2025-04-24 14:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting
Summary
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPress.org | WordPress |
Version: versions prior to 6.0.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:32:59.252Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/download/"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN09409909/index.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43497",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T14:09:53.043303Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T14:09:56.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WordPress",
"vendor": "WordPress.org",
"versions": [
{
"status": "affected",
"version": "versions prior to 6.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-02T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://wordpress.org/download/"
},
{
"url": "https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/"
},
{
"url": "https://jvn.jp/en/jp/JVN09409909/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-43497",
"datePublished": "2022-12-05T00:00:00.000Z",
"dateReserved": "2022-10-22T00:00:00.000Z",
"dateUpdated": "2025-04-24T14:09:56.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43500 (GCVE-0-2022-43500)
Vulnerability from cvelistv5
Published
2022-12-05 00:00
Modified
2025-04-24 14:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting
Summary
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPress.org | WordPress |
Version: versions prior to 6.0.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:32:59.666Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/download/"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN09409909/index.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T14:06:13.924261Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T14:06:16.807Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WordPress",
"vendor": "WordPress.org",
"versions": [
{
"status": "affected",
"version": "versions prior to 6.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-02T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://wordpress.org/download/"
},
{
"url": "https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/"
},
{
"url": "https://jvn.jp/en/jp/JVN09409909/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-43500",
"datePublished": "2022-12-05T00:00:00.000Z",
"dateReserved": "2022-10-22T00:00:00.000Z",
"dateUpdated": "2025-04-24T14:06:16.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}