Wordpress

This hub aggregates every CVE we track for Wordpress, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.

Web & CMS Pluginson-premweb app

339

CVEs tracked

Critical

High

In CISA KEV

Severity distribution

MEDIUM228HIGH66CRITICAL27LOW18

Monthly trend

2024-072026-06

Latest CVEs

See all →

The 15 most recently published vulnerabilities affecting Wordpress.

CVE-2025-58674WordPress <= 6.8.2 - (Author+) Cross Site Scripting (XSS) Vulnerability5.9Sep 23, 2025
CVE-2025-58246WordPress <= 6.8.2 - (Contributor+) Sensitive Data Exposure Vulnerability4.3Sep 23, 2025
CVE-2025-54352WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior.3.7Jul 21, 2025
CVE-2022-4973WordPress Core < 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via use of the_meta(); function4.9Oct 16, 2024
CVE-2024-4439WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This ...7.2May 3, 2024
CVE-2024-31211Remote Code Execution in `WP_HTML_Token`5.5Apr 4, 2024
CVE-2024-31210PHP file upload bypass via Plugin installer7.6Apr 4, 2024
CVE-2023-5561WordPress < 6.3.2 - Unauthenticated Post Author Email Disclosure5.3Oct 16, 2023
CVE-2023-39999WordPress < 6.3.2 is vulnerable to Broken Access Control4.3Oct 13, 2023
CVE-2023-38000Auth. Stored Cross-Site Scripting (XSS) vulnerability in WordPress core and Gutenberg plugin via Navigation Links Block6.5Oct 13, 2023
CVE-2023-2745WordPress Core < 6.2.1 - Directory Traversal5.4May 17, 2023
CVE-2023-22622WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not re...5.3Jan 5, 2023
CVE-2022-3590WP <= 6.1.1 - Unauthenticated Blind SSRF via DNS Rebinding5.9Dec 14, 2022
CVE-2022-43504Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Pos...5.3Dec 5, 2022
CVE-2022-43500Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for ...6.1Dec 5, 2022

Product normalization is registry-driven with AI assist and human review. How it works