WordPress


62 total issues disclosed

$17,963 total paid publicly


Most disclosed (14 disclosures) — Cross-site Scripting (XSS) - Stored

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Authenticated XXE XML External Entities (XXE) sonarsource Medium 2021-05-18
Privilege Escalation via REST API to Administrator leads to RCE Privilege Escalation hoangkien1020 High 2021-05-17
XSS via unicode characters in upload filename Cross-site Scripting (XSS) - Generic kahoots Medium 2020-08-28
Stored XSS on Broken Themes via filename Cross-site Scripting (XSS) - Stored apapedulimu Low 2020-08-25
Stored XSS in Post Preview as Contributor Cross-site Scripting (XSS) - Stored simonscannell Medium 2020-08-18
pre-auth Stored XSS in comments via javascript: url when administrator edits user supplied comment Cross-site Scripting (XSS) - Stored simonscannell High 2020-08-18
Clickjacking on donation page UI Redressing (Clickjacking) b0d8e6c576cada9bb87be7b Low 2020-07-16
Authenticated Stored Cross-site Scripting in bbPress Cross-site Scripting (XSS) - Stored binit Medium 2020-06-29
RCE as Admin defeats WordPress hardening and file permissions Path Traversal simonscannell Critical 2020-06-09
Allow authenticated users can edit, trash,and add new in BuddyPress Emails function Privilege Escalation hoangkien1020 Medium 2020-05-22
Wordpress unzip_file path traversal Violation of Secure Design Principles ajxchapman Medium 2020-01-29
Potential unprivileged Stored XSS through wp_targeted_link_rel Cross-site Scripting (XSS) - Stored simonscannell High 2020-01-08
plugins.trac.wordpress.org likely vulnerable to Cross Site Tracing (xst), TRACE HTTP method should be disabled Violation of Secure Design Principles geeknik No rating 2019-11-03
Reflected XSS on https://make.wordpress.org via 'channel' parameter Cross-site Scripting (XSS) - Reflected gnux High 2019-08-26
Stored XSS on byddypress Plug-in via groups name Cross-site Scripting (XSS) - Stored yxw21 Low 2019-07-27
Stored XSS Vulnerability Cross-site Scripting (XSS) - Stored mygf High 2019-07-18
CSRF to HTML Injection in Comments Cross-Site Request Forgery (CSRF) simonscannell High 2019-05-13
Stored XSS in Private Message component (BuddyPress) Cross-site Scripting (XSS) - Stored klmunday Critical 2019-03-08
Reflected Swf XSS In ( plugins.svn.wordpress.org ) None supplied m7mdharoun Medium 2018-09-27
Account takeover vulnerability by editor role privileged users/attackers via clickjacking UI Redressing (Clickjacking) rewanth_cool High 2018-09-03
[mercantile.wordpress.org] Reflected XSS Cross-site Scripting (XSS) - Reflected zee_shan Medium 2018-08-30
Arbitrary file deletion in wp-core - guides towards RCE and information disclosure Path Traversal b258ea62bf297b02afa9854 Critical 2018-08-29
Information / sensitive data disclosure on some endpoints Information Disclosure europa Medium 2018-08-22
Clickjacking In jobs.wordpress.net UI Redressing (Clickjacking) xsszeeshan2 Low 2018-08-22
xss - reflected Cross-site Scripting (XSS) - Reflected arunthelegion Low 2018-07-24
XSS on support.wordcamp.org in ajax-quote.php Cross-site Scripting (XSS) - Reflected mopman No rating 2018-07-23
Open API For Username enumeration None supplied sameerphad72 Low 2018-07-23
code.wordpress.net subdomain Takeover None supplied sniperpex Medium 2018-03-11
Open Redirect on the nl.wordpress.net Open Redirect sp1d3rs Low 2018-02-22
MediaElements XSS Cross-site Scripting (XSS) - Reflected shay12tg High 2018-02-16
UnResolved ChangeSet are Visible to Public That also Causes Information Disclosure Information Disclosure hackerwahab None 2018-02-05
Stored XSS in WordPress Cross-site Scripting (XSS) - Stored abdullah Medium 2018-02-02
[support.wordcamp.org] - publicly accessible .svn repository Improper Access Control - Generic kazan71p None 2018-02-01
Lack of Sanitization and Insufficient Authentication Cross-site Scripting (XSS) - Stored rahulpratap Medium 2017-12-26
Stored xss via template injection Cross-site Scripting (XSS) - Stored morningstar High 2017-12-11
Content Spoofing @ https://irclogs.wordpress.org/ Improper Access Control - Generic hackerwahab Low 2017-12-04
Wordpress 4.7 - CSRF -> HTTP SSRF any private ip:port and basic-auth Cross-Site Request Forgery (CSRF) skansing High 2017-11-20
Authenticated Cross-site Scripting in Template Name Cross-site Scripting (XSS) - Stored yeahyeah Medium 2017-11-18
WordPress core - Denial of Service via Cross Site Request Forgery Denial of Service dutchgraa No rating 2017-11-16
WordPress DB Class, bad implementation of prepare method guides to sqli and information disclosure SQL Injection b258ea62bf297b02afa9854 Critical 2017-11-13
Self-XSS in WordPress Editor Link Modal Cross-site Scripting (XSS) - Generic xhzeem Low 2017-11-08
[BuddyPress 2.9.1] Open Redirect via "wp_http_referer" parameter on "bp-profile-edit" endpoint Open Redirect ysx Low 2017-11-02
Buddypress 2.9.1 - Exceeding the maximum upload size - XSS leading to potential RCE. None supplied skansing Medium 2017-11-02
Unauthenticated hidden groups disclosure via Ajax groups search Improper Access Control - Generic jdgrimes Medium 2017-11-02
Missing SSL can leak job token Cleartext Transmission of Sensitive Information c0rte Low 2017-11-01
Clickjacking irclogs.wordpress.org UI Redressing (Clickjacking) sameull No rating 2017-10-12
Wordpress 4.8.1 - Rogue editor leads to RCE. And the risks of same origin frame scripting in general None supplied skansing High 2017-10-04
Clickjacking mercantile.wordpress.org UI Redressing (Clickjacking) villagelad Low 2017-09-08
Clickjacking - https://mercantile.wordpress.org/ UI Redressing (Clickjacking) giantfire Low 2017-08-28
[Buddypress] Arbitrary File Deletion through bp_avatar_set None supplied mopman High 2017-08-22
Reflected XSS at https://da.wordpress.org/themes/?s= via "s=" parameter Cross-site Scripting (XSS) - Reflected jon_bottarini Medium 2017-07-26
Wordpress 4.7.2 - Two XSS in Media Upload when file too large. Cross-site Scripting (XSS) - Generic skansing High 2017-07-18
Infrastructure - Photon - SSRF Server-Side Request Forgery (SSRF) skansing Medium 2017-07-18
Stored self-XSS in mercantile.wordpress.org checkout Cross-site Scripting (XSS) - Stored eidelweiss Low 2017-07-14
CSRF to add admin [wordpress] Cross-Site Request Forgery (CSRF) abdullah No rating 2017-06-30
Clickjacking wordcamp.org UI Redressing (Clickjacking) hasanexpert Low 2017-06-24
[mercantile.wordpress.org] Reflected XSS via AngularJS Template Injection Cross-site Scripting (XSS) - Reflected ysx Medium 2017-06-14
DOM Based XSS In mercantile.wordpress.org Cross-site Scripting (XSS) - DOM pabster Medium 2017-06-14
Stored but [SELF] XSS in mercantile.wordpress.org Cross-site Scripting (XSS) - Stored codertom Low 2017-05-26
XSS in the search bar of mercantile.wordpress.org Cross-site Scripting (XSS) - Reflected codertom Medium 2017-05-20
Lack of Password Confirmation when Changing Password and Email None supplied mga_bobo No rating 2017-04-28
Administrator(s) Information disclosure via JSON on wordpress.org Information Disclosure 596a96cc7bf9108cd896f33c4 Medium 2017-04-20