Open Redirect

wordpress is vulnerable to open redirect. The vulnerability exists as the values of $location used in wpvalidateredirect in wp-includes/pluggable.php is not properly sanitized...

Open Redirect

Wordpress is vulnerable to open redirection. It is possible due to lack of validation and sanitization of a URL in wpvalidateredirect in wp-includes/pluggable.php...

CVE-2017-8295

WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to...

DEBIAN-CVE-2017-6815

In WordPress before 4.7.3 wp-includes/pluggable.php, control characters can trick redirect URL validation...

UBUNTU-CVE-2017-6815

In WordPress before 4.7.3 wp-includes/pluggable.php, control characters can trick redirect URL validation...

CVE-2016-2221

Open redirect vulnerability in the wpvalidateredirect function in wp-includes/pluggable.php in WordPress before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL that triggers incorrect hostname parsing, as demonstrated by an...

DEBIAN-CVE-2016-2221

Open redirect vulnerability in the wpvalidateredirect function in wp-includes/pluggable.php in WordPress before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL that triggers incorrect hostname parsing, as demonstrated by an...

UBUNTU-CVE-2016-2221

Open redirect vulnerability in the wpvalidateredirect function in wp-includes/pluggable.php in WordPress before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL that triggers incorrect hostname parsing, as demonstrated by an...

CVE-2016-2221

CVE-2016-2221 corresponds to an open redirect in WordPress prior to 4.4.2 via wp_validate_redirect in wp-includes/pluggable.php. The vulnerability allows remote attackers to redirect users to arbitrary sites and potentially enable phishing through malformed URLs that trigger incorrect hostname pa...

WordPress <= 4.4.1 - Open Redirect

This vulnerability in the wpvalidateredirect function in wp-includes/pluggable.php allows an attacker to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL which triggers incorrect hostname parsing. Solution Update WordPress...

CVE-2014-5240

Cross-site scripting XSS vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL...

DEBIAN-CVE-2014-5205

wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack...

DEBIAN-CVE-2014-5204

wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack...

UBUNTU-CVE-2014-5204

wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack...

CVE-2014-5204

wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack...

CVE-2014-5205

wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack...

CVE-2014-5240

Cross-site scripting XSS vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL...

CVE-2014-5205

wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack...

CVE-2014-5240

CVE-2014-5240 is an XSS in WordPress prior to 3.9.2 (Multisite enabled) affecting wp-includes/pluggable.php via a crafted avatar URL. The vulnerability allows remote authenticated administrators to inject arbitrary script/HTML and can enable a Super Admin privilege escalation. The issue is docume...

WordPress <= 3.9.1 - XSS

This vulnerability is in the wp-includes/pluggable.php. It allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL. Solution Update WordPress...