WordPress Core Vulnerabilities

🧹It's time for some spring cleaning! All researchers earn over 6.25x our normal bounty rates, through May 27th, 2024, when Wordfence handles responsible disclosure for our Spring Cleaning Bug Extravaganza! Learn more about our bug bounty program
Register as a researcher and submit your vulnerabilities today!

Wordfence Intelligence > Vulnerability Database > WordPress Core

Showing 1-20 of 358 WordPress Core vulnerabilities

WordPress Core < 6.0.3 - SQL Injection via WP_Date_Query

9.8

CVE ID Unknown

Oct 18, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WordPress Core < 5.5.3 - PHP Object Injection Gadget

9.8

CVE-2021-29476

Oct 29, 2020

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WordPress Core < 4.8.3 - SQL Injection due to Double Prepare approach

9.8

CVE-2017-16510

Oct 31, 2017

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WordPress Core < 4.8.2 - SQL Injection via Mishandled Placeholders

9.8

CVE-2017-14723

Sep 19, 2017

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WordPress Core 1.5 - 2.3.1 - Authorization Bypass

9.8

CVE-2007-6013

Dec 29, 2007

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WordPress Core < 2.2.3 & WordPress MU < 1.2.5a - SQL Injection

9.8

CVE-2007-4894

Sep 8, 2007

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WordPress Core < 2.3.2 - SQL Injection

9.8

CVE-2007-6318

Sep 8, 2007

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WordPress Core 2.2.1 - Backdoor

9.8

CVE-2007-1277

Mar 3, 2007

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WordPress Core 2.1.1 - Supply Chain Compromise

9.8

CVE ID Unknown

Mar 2, 2007

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WordPress Core <= 2.0.5 - SQL Injection

9.8

CVE-2007-0107

Jan 5, 2007

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WordPress Core < 2.0.4 - Privilege Escalation

9.8

CVE-2006-4028

Jul 9, 2006

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WordPress Core <= 0.70 - Remote File Inclusion

9.8

CVE-2003-1599

Jun 9, 2003

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WordPress Core < 5.1.1 - Cross-Site Request Forgery to Cross-Site Scripting via Comments

9.6

CVE-2019-9787

Apr 12, 2019

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

WordPress Core < 4.2.4 - Cross-Site Request Forgery to Post Lockage

9.6

CVE-2015-5731

Aug 4, 2015

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

WordPress Core < 6.0.3 - Reflected Cross-Site Scripting via SQL Injection

8.8

CVE-2022-43497

Oct 18, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

WordPress Core < 6.0.3 - Cross-Site Request Forgery via wp-trackback.php

8.8

CVE ID Unknown

Oct 18, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

WordPress Core < 5.9.1 - jQuery Prototype Pollution

8.8

CVE-2021-20083

Mar 11, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

WordPress Core < 5.5.2 - Privilege Escalation via XML-RPC

8.8

CVE-2020-28035

Oct 29, 2020

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

WordPress Core < 5.5.2 - Deserialization Gadget

8.8

CVE-2020-28032

Oct 29, 2020

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

WordPress Core < 5.5.2 - Privilege Escalation via XML-RPC

8.8

CVE-2020-28036

Oct 29, 2020

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Title	CVE ID	CVSS	Vector	Date
WordPress Core < 6.0.3 - SQL Injection via WP_Date_Query		9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	October 18, 2022
WordPress Core < 5.5.3 - PHP Object Injection Gadget	CVE-2021-29476	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	October 29, 2020
WordPress Core < 4.8.3 - SQL Injection due to Double Prepare approach	CVE-2017-16510	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	October 31, 2017
WordPress Core < 4.8.2 - SQL Injection via Mishandled Placeholders	CVE-2017-14723	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	September 19, 2017
WordPress Core 1.5 - 2.3.1 - Authorization Bypass	CVE-2007-6013	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	December 29, 2007
WordPress Core < 2.2.3 & WordPress MU < 1.2.5a - SQL Injection	CVE-2007-4894	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	September 8, 2007
WordPress Core < 2.3.2 - SQL Injection	CVE-2007-6318	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	September 8, 2007
WordPress Core 2.2.1 - Backdoor	CVE-2007-1277	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	March 3, 2007
WordPress Core 2.1.1 - Supply Chain Compromise		9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	March 2, 2007
WordPress Core <= 2.0.5 - SQL Injection	CVE-2007-0107	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	January 5, 2007
WordPress Core < 2.0.4 - Privilege Escalation	CVE-2006-4028	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	July 9, 2006
WordPress Core <= 0.70 - Remote File Inclusion	CVE-2003-1599	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	June 9, 2003
WordPress Core < 5.1.1 - Cross-Site Request Forgery to Cross-Site Scripting via Comments	CVE-2019-9787	9.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H	April 12, 2019
WordPress Core < 4.2.4 - Cross-Site Request Forgery to Post Lockage	CVE-2015-5731	9.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H	August 4, 2015
WordPress Core < 6.0.3 - Reflected Cross-Site Scripting via SQL Injection	CVE-2022-43497	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	October 18, 2022
WordPress Core < 6.0.3 - Cross-Site Request Forgery via wp-trackback.php		8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	October 18, 2022
WordPress Core < 5.9.1 - jQuery Prototype Pollution	CVE-2021-20083	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	March 11, 2022
WordPress Core < 5.5.2 - Privilege Escalation via XML-RPC	CVE-2020-28035	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	October 29, 2020
WordPress Core < 5.5.2 - Deserialization Gadget	CVE-2020-28032	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	October 29, 2020
WordPress Core < 5.5.2 - Privilege Escalation via XML-RPC	CVE-2020-28036	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	October 29, 2020

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation