WordPress.org

Ready to get started?Download WordPress

Codex

Attention Interested in functions, hooks, classes, or methods? Check out the new WordPress Code Reference!

CVEs

CVE stands for Common Vulnerabilities and Exposures, which is an industry standard way to track security issues in software applications. They are tracked centrally in the National Vulnerability Database 2. NVD is a product of the NIST Computer Security Division.

Although many CVEs mention WordPress, only a few are applicable. Here is a list of CVEs that mention WordPress, organized by year, and whether the CVE impacts WordPress Plugins, the core programming, WordPress.com, or another aspect of WordPress, as well as which version of WordPress was impacted. The Date used is the date of the report going public and not the day the vulnerability was discovered.

In terms of security of your WordPress blog, being on the latest version of WordPress is all you need. WordPress generally fixes vulnerabilities and releases an upgrade or security update version before they become public and are issued a CVE.

WordPress uses third party applications like the Apache webserver, the PHP scripting language and the MySQL database. You should keep these versions current as well. Reports for these third party applications are not listed on this page.

Additionally you can take precaution actions by using Suhosin, an advanced protection system for PHP installations.

2010

1 total CVEs, 1 apply to core, 0 to legacy, and 0 are invalid. (for 2010 only core CVEs listed here)

CVE ID Date Impact Notes
CVE-2010-06822010-02-23CoreUnauthorized Disclosure

2009

16 total CVEs, 1 apply to plugins, 15 apply to core, 0 to legacy, and 0 are invalid. (for 2009 mostly core CVEs listed here, too many plugins)

CVE ID Date Impact Notes
CVE-2009-38912009-11-17CoreXSS
CVE-2009-38902009-11-17CoreFile Upload Bypass
CVE-2009-36222009-10-23CoreDenial Of Service
CVE-2009-28542009-08-18CoreBoundary Escalation
CVE-2009-28532009-08-18CorePrivelege Escalation
CVE-2009-28512009-08-18CoreXSS
CVE-2009-27622009-08-13CorePassword Reset
CVE-2009-24322009-07-10CoreInformation Disclosure (as well for WPMU)
CVE-2009-24312009-07-10CoreInformation Disclosure
CVE-2009-23362009-07-10CoreUser Information Disclosure
CVE-2009-23352009-07-10CoreUser Information Disclosure
CVE-2009-23342009-07-10CorePrivelege Escalation / Information Disclosure
CVE-2008-67672009-04-28CoreDenial Of Service
CVE-2008-67622009-03-20CoreOpen Redirect
CVE-2009-10302009-03-20CoreWordPress MU below 2.7
CVE-2009-09682009-03-19Plugin 

2008

59 total CVEs, 40 apply to plugins, 10 apply to core, 3 to legacy, and 6 are invalid.

CVE ID Date Impact Notes
CVE-2008-68112009-05-18Plugin 
CVE-2008-67672009-04-28InvalidSame Report as in CVE-2008-6762
CVE-2008-67622009-04-28Core 
CVE-2008-57522008-12-30Plugin 
CVE-2008-56952008-12-19Legacy CoreWordPress MU before 1.3.2, and WordPress 2.3.2 and earlier
CVE-2008-52782008-11-28CoreWordPress before 2.6.5
CVE-2008-51132008-11-17CoreWordPress 2.6.3
CVE-2008-47692008-10-28CoreWordPress 2.3.3 and earlier, and 2.5
CVE-2008-47342008-10-24Plugin 
CVE-2008-47332008-10-24Plugin 
CVE-2008-46712008-10-22CoreWordpress MU before 2.6
CVE-2008-46252008-10-21Plugin 
CVE-2008-46162008-10-20Plugin 
CVE-2008-41062008-09-18CoreWordPress before 2.6.2
CVE-2008-37472008-08-27CoreWordPress before 2.6.1
CVE-2008-33622008-07-30Plugin 
CVE-2008-32332008-07-18InvalidSVN only
CVE-2008-2510 2008-05-29 Plugin  
CVE-2008-2392 2008-05-21 Invalid "Admin" user has ability to edit plugins and upload files if file permissions allow- this is intentional.
CVE-2008-2146 2008-05-12 Invalid Describes a known issue in WordPress 2.2, which was released more than a year before. (Covered by previous CVE.) The problem described was fixed 9 months before this report.
CVE-2008-2068 2008-05-02 Core "Unspecified vectors" were never publicly reported, but fixed in 2.5.1.
CVE-2008-2034 2008-04-30 Plugin
CVE-2008-1930 2008-04-28 Core Cookie-based cryptographic splicing attack. Fixed in 2.5.1 prior to disclosure.
CVE-2008-2146 2008-04-27 Plugin  
CVE-2008-1982 2008-04-02 Plugin  
CVE-2008-1304 2008-03-12 WordPress.com XSS in invite system on WordPress.com, did not apply to WordPress.org blogs at all.
CVE-2008-1060 2008-02-28 Plugin  
CVE-2008-1059 2008-02-28 Plugin  
CVE-2008-0939 2008-02-25 Plugin  
CVE-2008-0845 2008-02-20 Plugin  
CVE-2008-0837 2008-02-20 Plugin  
CVE-2008-0691 2008-02-11 Plugin  
CVE-2008-0683 2008-02-11 Plugin  
CVE-2008-0682 2008-02-11 Plugin  
CVE-2008-0664 2008-02-07 Core If registration was enabled, an undisclosed vulnerability in XML-RPC. Fixed by 2.5 prior to disclosure.
CVE-2008-0618 2008-02-06 Plugin  
CVE-2008-0617 2008-02-06 Plugin  
CVE-2008-0616 2008-02-06 Plugin  
CVE-2008-0615 2008-02-06 Plugin  
CVE-2008-0560 2008-02-04 Plugin  
CVE-2008-0520 2008-01-31 Plugin  
CVE-2008-0508 2008-01-31 Plugin  
CVE-2008-0507 2008-01-31 Plugin  
CVE-2008-0491 2008-01-30 Plugin  
CVE-2008-0490 2008-01-30 Plugin  
CVE-2008-0388 2008-01-22 Plugin  
CVE-2008-0222 2008-01-10 Plugin  
CVE-2008-0206 2008-01-09 Plugin  
CVE-2008-0205 2008-01-09 Plugin  
CVE-2008-0204 2008-01-09 Plugin  
CVE-2008-0198 2008-01-09 Plugin  
CVE-2008-0197 2008-01-09 Plugin  
CVE-2008-0196 2008-01-09 Legacy Core Problem in legacy 2.0 branch of WordPress, not applicable to current versions.
CVE-2008-0195 2008-01-09 Legacy Core Disclosure in legacy 2.0 branch of WordPress, not applicable to current versions.
CVE-2008-0194 2008-01-09 Plugin Fixed in version 2.1.0 of this plugin, released 7 months prior to this CVE
CVE-2008-0193 2008-01-09 Plugin Fixed in version 2.1.0 of this plugin, released 7 months prior to this CVE
CVE-2008-0192 2008-01-09 Invalid Problem already fixed by 2.0.10 release 9 months before this CVE.
CVE-2008-0191 2008-01-09 Invalid Could not recreate in current release (2.3.2) at that time

See Also