WordPress Core Vulnerabilities

🧹It's time for some spring cleaning! All researchers earn over 6.25x our normal bounty rates, through May 27th, 2024, when Wordfence handles responsible disclosure for our Spring Cleaning Bug Extravaganza! Learn more about our bug bounty program
Register as a researcher and submit your vulnerabilities today!

Wordfence Intelligence > Vulnerability Database > WordPress Core

Showing 61-80 of 359 WordPress Core vulnerabilities

WordPress Core < 2.6.2 - Arbitrary User Password Reset

8.1

CVE-2008-4106

Sep 8, 2008

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

WordPress Core < 2.5.1 - Authentication Bypass

8.1

CVE-2008-1930

Apr 25, 2008

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

WordPress Core < 6.0.2 - Authenticated SQL Injection

8.0

CVE ID Unknown

Aug 30, 2022

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

WordPress Core < 5.8.3 - Authenticated (Author+) Stored Cross Site Scripting

8.0

CVE-2022-21662

Jan 6, 2022

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

WordPress Core < 5.8.3 - SQL Injection via WP_Query

8.0

CVE-2022-21661

Jan 6, 2021

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

WordPress Core < 5.0.1 - Arbitrary File Deletion

7.7

CVE-2018-20147

Dec 12, 2018

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

WordPress Core < 4.7.5 - Server-Side Request Forgery

7.7

CVE-2017-9066

May 16, 2017

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

WordPress Core < 4.0.1 - Server-Side Request Forgery

7.7

CVE-2014-9038

Nov 20, 2014

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

WordPress Core 5.8 beta - Stored Cross-Site Scripting in Custom HTML Block

7.6

CVE-2021-39202

Sep 9, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

WordPress Core 5.4 - 5.8 - Authenticated Stored Cross-Site Scripting

7.6

CVE-2021-39201

Sep 9, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

WordPress Core < 5.0.1 - Sensitive Information Disclosure

7.5

CVE-2018-20151

Dec 12, 2018

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

WordPress Core < 5.0.1 - PHAR Unserialization

7.5

CVE-2018-1000773

Sep 6, 2018

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

WordPress Core < 5.0 - Denial of Service

7.5

CVE-2018-6389

Feb 5, 2018

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

WordPress Core < 4.4 - Brute Force Password Recovery Tokens

7.5

CVE-2014-6412

Feb 12, 2015

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

WordPress Core < 3.1.1 - Denial of Service

7.5

CVE-2011-4957

Apr 5, 2011

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

WordPress Core 2.9.2 and 3.0.4 - Sensitive Information Disclosure

7.5

CVE-2011-3818

Jan 28, 2011

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

WordPress Core < 2.8.4 - Forced Password Reset

7.5

CVE-2009-2762

Aug 12, 2009

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

WordPress Core <= 2.3.3 - Directory Traversal

7.5

CVE-2008-4769

Apr 25, 2008

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

WordPress Core < 2.0.2 - Sensitive Information Disclosure

7.5

CVE-2006-0986

Mar 10, 2006

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

WordPress Core < 5.8.3 - SQL Injection via WP_Meta_Query

7.4

CVE-2022-21664

Jan 6, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Title	CVE ID	CVSS	Vector	Date
WordPress Core < 2.6.2 - Arbitrary User Password Reset	CVE-2008-4106	8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	September 8, 2008
WordPress Core < 2.5.1 - Authentication Bypass	CVE-2008-1930	8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	April 25, 2008
WordPress Core < 6.0.2 - Authenticated SQL Injection		8.0	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H	August 30, 2022
WordPress Core < 5.8.3 - Authenticated (Author+) Stored Cross Site Scripting	CVE-2022-21662	8.0	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H	January 6, 2022
WordPress Core < 5.8.3 - SQL Injection via WP_Query	CVE-2022-21661	8.0	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H	January 6, 2021
WordPress Core < 5.0.1 - Arbitrary File Deletion	CVE-2018-20147	7.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H	December 12, 2018
WordPress Core < 4.7.5 - Server-Side Request Forgery	CVE-2017-9066	7.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N	May 16, 2017
WordPress Core < 4.0.1 - Server-Side Request Forgery	CVE-2014-9038	7.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N	November 20, 2014
WordPress Core 5.8 beta - Stored Cross-Site Scripting in Custom HTML Block	CVE-2021-39202	7.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N	September 9, 2021
WordPress Core 5.4 - 5.8 - Authenticated Stored Cross-Site Scripting	CVE-2021-39201	7.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N	September 9, 2021
WordPress Core < 5.0.1 - Sensitive Information Disclosure	CVE-2018-20151	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	December 12, 2018
WordPress Core < 5.0.1 - PHAR Unserialization	CVE-2018-1000773	7.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	September 6, 2018
WordPress Core < 5.0 - Denial of Service	CVE-2018-6389	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	February 5, 2018
WordPress Core < 4.4 - Brute Force Password Recovery Tokens	CVE-2014-6412	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	February 12, 2015
WordPress Core < 3.1.1 - Denial of Service	CVE-2011-4957	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	April 5, 2011
WordPress Core 2.9.2 and 3.0.4 - Sensitive Information Disclosure	CVE-2011-3818	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	January 28, 2011
WordPress Core < 2.8.4 - Forced Password Reset	CVE-2009-2762	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	August 12, 2009
WordPress Core <= 2.3.3 - Directory Traversal	CVE-2008-4769	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	April 25, 2008
WordPress Core < 2.0.2 - Sensitive Information Disclosure	CVE-2006-0986	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	March 10, 2006
WordPress Core < 5.8.3 - SQL Injection via WP_Meta_Query	CVE-2022-21664	7.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L	January 6, 2022

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation