pkg:Bitnami/wordpress

All known vulnerabilities

• CRITICAL10.0CVE-2025-41240The Bitnami WordPress Helm chart mounts Kubernetes Secrets under a predictable path (/opt/bitnami/wordpress/secrets) that is located within…
  >= 6.7.2-7, < 6.8.2-1
• CRITICAL9.8CVE-2024-31211Remote Code Execution in `WP_HTML_Token`
  >= 6.4.0, < 6.4.2
• CRITICAL9.8CVE-2021-44223WordPress before 5.8 lacks support for the Update URI plugin header.
  from 0, < 5.8.0
• CRITICAL9.8CVE-2020-36326Object injection in PHPMailer/PHPMailer
  >= 3.7.0, < 3.7.36, >= 3.8.0, < 3.8.36, >= 3.9.0, < 3.9.34, >= 4.0.0, < 4.0.33, >= 4.1.0, < 4.1.33, >= 4.2.0, < 4.2.30, >= 4.3.0, < 4.3.26, >= 4.4.0, < 4.4.25, >= 4.5.0, < 4.5.24, >= 4.6.0, < 4.6.21, >= 4.7.0, < 4.7.21, >= 4.8.0, < 4.8.17, >= 4.9.0, < 4.9.18, >= 5.0.0, < 5.0.13, >= 5.1.0, < 5.1.10, >= 5.2.0, < 5.2.11, >= 5.3.0, < 5.3.8, >= 5.4.0, < 5.4.6, >= 5.5.0, < 5.5.5, >= 5.6.0, < 5.6.4, >= 5.7.0, < 5.7.2
• CRITICAL9.8CVE-2020-28037is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, whic…
  from 0, < 5.5.2
• CRITICAL9.8CVE-2020-28036wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.
  from 0, < 5.5.2
• CRITICAL9.8CVE-2020-28035WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.
  from 0, < 5.5.2
• CRITICAL9.8CVE-2020-28032wordpress - security update
  from 0, < 5.5.2
• CRITICAL9.1CVE-2020-28039is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine w…
  from 0, < 5.5.2
• HIGH8.8CVE-2023-51474Cross-Site Request Forgery (CSRF) vulnerability in Pixelemu TerraClassifieds.This issue affects TerraClassifieds: from n/a through 2.0.3.
  from 0, < 2.0.4
• HIGH8.8CVE-2024-31210PHP file upload bypass via Plugin installer
  from 0, < 4.1.40, >= 4.2.0, < 4.2.37, >= 4.3.0, < 4.3.33, >= 4.4.0, < 4.4.32, >= 4.5.0, < 4.5.31, >= 4.6.0, < 4.6.28, >= 4.7.0, < 4.7.28, >= 4.8.0, < 4.8.24, >= 4.9.0, < 4.9.25, >= 5.0.0, < 5.0.21, >= 5.1.0, < 5.1.18, >= 5.2.0, < 5.2.20, >= 5.3.0, < 5.3.17, >= 5.4.0, < 5.4.15, >= 5.5.0, < 5.5.14, >= 5.6.0, < 5.6.13, >= 5.7.0, < 5.7.11, >= 5.8.0, < 5.8.9, >= 5.9.0, < 5.9.9, >= 6.0.0, < 6.0.7, >= 6.1.0, < 6.1.5, >= 6.2.0, < 6.2.4, >= 6.3.0, < 6.3.3, >= 6.4.0, < 6.4.3
• HIGH8.8CVE-2022-21664SQL injection in WordPress
  from 0, < 5.8.3
• HIGH8.1CVE-2020-11027Password reset links invalidation issue in WordPress
  >= 3.7.0, < 3.7.33, >= 3.8.0, < 3.8.33, >= 3.9.0, < 3.9.31, >= 4.0.0, < 4.0.30, >= 4.1.0, < 4.1.30, >= 4.2.0, < 4.2.27, >= 4.3.0, < 4.3.23, >= 4.4.0, < 4.4.22, >= 4.5.0, < 4.5.21, >= 4.6.0, < 4.6.18, >= 4.7.0, < 4.7.17, >= 4.8.0, < 4.8.13, >= 4.9.0, < 4.9.14, >= 5.0.0, < 5.0.9, >= 5.1.0, < 5.1.5, >= 5.2.0, < 5.2.6, >= 5.3.0, < 5.3.3, >= 5.4.0, < 5.4.1
• HIGH7.5CVE-2024-3756The MF Gig Calendar WordPress plugin through 1.2.1 does not have CSRF checks in some places, which could allow attackers to make logged in…
  from 0, < 1.2.2
• HIGH7.5CVE-2022-21661SQL injection in WordPress
  >= 3.7.0, < 3.7.37, >= 3.8.0, < 3.8.37, >= 3.9.0, < 3.9.35, >= 4.0.0, < 4.0.34, >= 4.1.0, < 4.1.34, >= 4.2.0, < 4.2.31, >= 4.3.0, < 4.3.27, >= 4.4.0, < 4.4.26, >= 4.5.0, < 4.5.25, >= 4.6.0, < 4.6.22, >= 4.7.0, < 4.7.22, >= 4.8.0, < 4.8.18, >= 4.9.0, < 4.9.19, >= 5.0.0, < 5.0.15, >= 5.1.0, < 5.1.12, >= 5.2.0, < 5.2.14, >= 5.3.0, < 5.3.11, >= 5.4.0, < 5.4.9, >= 5.5.0, < 5.5.8, >= 5.6.0, < 5.6.7, >= 5.7.0, < 5.7.5, >= 5.8.0, < 5.8.3
• HIGH7.5CVE-2020-28033WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.
  from 0, < 5.5.2
• HIGH7.5CVE-2020-11028Unauthenticated disclosure of certain private posts in WordPress
  from 0, < 5.4.1
• HIGH7.2CVE-2022-21663Authenticated Object Injection in Multisites in WordPress
  from 0, < 5.8.3
• MEDIUM6.8CVE-2020-4047Authenticated XSS via media attachment page in WordPress
  >= 3.7.0, < 3.7.34, >= 3.8.0, < 3.8.34, >= 3.9.0, < 3.9.32, >= 4.0.0, < 4.0.31, >= 4.1.0, < 4.1.31, >= 4.2.0, < 4.2.28, >= 4.3.0, < 4.3.24, >= 4.4.0, < 4.4.23, >= 4.5.0, < 4.5.22, >= 4.6.0, < 4.6.19, >= 4.7.0, < 4.7.18, >= 4.8.0, < 4.8.14, >= 4.9.0, < 4.9.15, >= 5.0.0, < 5.0.10, >= 5.1.0, < 5.1.6, >= 5.2.0, < 5.2.7, >= 5.3.0, < 5.3.4, >= 5.4.0, < 5.4.2
• MEDIUM6.5CVE-2024-31111WordPress Core < 6.5.5 - Cross Site Scripting (XSS) vulnerability
  >= 5.9.0, < 5.9.10, >= 6.0.0, < 6.0.9, >= 6.1.0, < 6.1.7, >= 6.2.0, < 6.2.6, >= 6.3.0, < 6.3.5, >= 6.4.0, < 6.4.5, >= 6.5.0, < 6.5.5
• MEDIUM6.5CVE-2021-29447WordPress Authenticated XXE attack when installation is running PHP 8
  >= 5.6.0, < 5.7.1
• MEDIUM6.4CVE-2024-6307WordPress Core < 6.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via HTML API
  >= 5.9.0, < 5.9.10, >= 6.0.0, < 6.0.9, >= 6.1.0, < 6.1.7, >= 6.2.0, < 6.2.5, >= 6.3.0, < 6.3.5, >= 6.4.0, < 6.4.5, >= 6.5.0, < 6.5.5
• MEDIUM6.1CVE-2024-8665The YITH Custom Login plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropri…
  from 0, < 1.7.4
• MEDIUM6.1CVE-2024-4439WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due…
  >= 6.0.0, < 6.0.8, >= 6.1.0, < 6.1.6, >= 6.2.0, < 6.2.5, >= 6.3.0, < 6.3.4, >= 6.4.0, < 6.4.4, >= 6.5.0, < 6.5.2
• MEDIUM6.1CVE-2022-43500Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary scr…
  from 0, < 3.7.40, >= 3.8.0, < 3.8.40, >= 3.9.0, < 3.9.39, >= 4.0.0, < 4.0.37, >= 4.1.0, < 4.1.37, >= 4.2.0, < 4.2.34, >= 4.3.0, < 4.3.30, >= 4.4.0, < 4.4.29, >= 4.5.0, < 4.5.28, >= 4.6.0, < 4.6.25, >= 4.7.0, < 4.7.25, >= 4.8.0, < 4.8.21, >= 4.9.0, < 4.9.22, >= 5.0.0, < 5.0.18, >= 5.1.0, < 5.1.15, >= 5.2.0, < 5.2.17, >= 5.3.0, < 5.3.14, >= 5.4.0, < 5.4.12, >= 5.5.0, < 5.5.11, >= 5.6.0, < 5.6.10, >= 5.7.0, < 5.7.8, >= 5.8.0, < 5.8.6, >= 5.9.0, < 5.9.5, >= 6.0.0, < 6.0.3
• MEDIUM6.1CVE-2022-43497wordpress - security update
  from 0, < 3.7.40, >= 3.8.0, < 3.8.40, >= 3.9.0, < 3.9.39, >= 4.0.0, < 4.0.37, >= 4.1.0, < 4.1.37, >= 4.2.0, < 4.2.34, >= 4.3.0, < 4.3.30, >= 4.4.0, < 4.4.29, >= 4.5.0, < 4.5.28, >= 4.6.0, < 4.6.25, >= 4.7.0, < 4.7.25, >= 4.8.0, < 4.8.21, >= 4.9.0, < 4.9.22, >= 5.0.0, < 5.0.18, >= 5.1.0, < 5.1.15, >= 5.2.0, < 5.2.17, >= 5.3.0, < 5.3.14, >= 5.4.0, < 5.4.12, >= 5.5.0, < 5.5.11, >= 5.6.0, < 5.6.10, >= 5.7.0, < 5.7.8, >= 5.8.0, < 5.8.6, >= 5.9.0, < 5.9.5, >= 6.0.0, < 6.0.3
• MEDIUM6.1CVE-2020-28038WordPress before 5.5.2 allows stored XSS via post slugs.
  from 0, < 5.5.2
• MEDIUM6.1CVE-2020-28034WordPress before 5.5.2 allows XSS associated with global variables.
  from 0, < 5.5.2
• MEDIUM6.1CVE-2020-11029Cross-site scripting in stats method (object cache) in WordPress
  >= 3.7.0, < 3.7.33, >= 3.8.0, < 3.8.33, >= 3.9.0, < 3.9.31, >= 4.0.0, < 4.0.30, >= 4.1.0, < 4.1.30, >= 4.2.0, < 4.2.27, >= 4.3.0, < 4.3.23, >= 4.4.0, < 4.4.22, >= 4.5.0, < 4.5.21, >= 4.6.0, < 4.6.18, >= 4.7.0, < 4.7.17, >= 4.8.0, < 4.8.13, >= 4.9.0, < 4.9.14, >= 5.0.0, < 5.0.9, >= 5.1.0, < 5.1.5, >= 5.2.0, < 5.2.6, >= 5.3.0, < 5.3.3, >= 5.4.0, < 5.4.1
• MEDIUM5.9CVE-2025-58674WordPress <= 6.8.2 - (Author+) Cross Site Scripting (XSS) Vulnerability
  from 0, < 6.8.3
• MEDIUM5.9CVE-2024-35655Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Brave Brave Popup Builder allo…
  from 0, < 0.7.0
• MEDIUM5.9CVE-2022-3590WP <= 6.1.1 - Unauthenticated Blind SSRF via DNS Rebinding
  >= 4.1.0, < 4.1.1, >= 4.2.0, < 6.1.2
• MEDIUM5.7CVE-2020-4048Open redirect in wp_validate_redirect() in WordPress
  >= 3.7.0, < 3.7.34, >= 3.8.0, < 3.8.34, >= 3.9.0, < 3.9.32, >= 4.0.0, < 4.0.31, >= 4.1.0, < 4.1.31, >= 4.2.0, < 4.2.28, >= 4.3.0, < 4.3.24, >= 4.4.0, < 4.4.23, >= 4.5.0, < 4.5.22, >= 4.6.0, < 4.6.19, >= 4.7.0, < 4.7.18, >= 4.8.0, < 4.8.14, >= 4.9.0, < 4.9.15, >= 5.0.0, < 5.0.10, >= 5.1.0, < 5.1.6, >= 5.2.0, < 5.2.7, >= 5.3.0, < 5.3.4, >= 5.4.0, < 5.4.2
• MEDIUM5.4CVE-2022-4973WordPress Core < 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via use of the_meta(); function
  from 0, < 3.6.2, >= 3.7.0, < 3.7.39, >= 3.8.0, < 3.8.39, >= 3.9.0, < 3.9.37, >= 4.0.0, < 4.0.36, >= 4.1.0, < 4.1.36, >= 4.2.0, < 4.2.33, >= 4.3.0, < 4.3.29, >= 4.4.0, < 4.4.28, >= 4.5.0, < 4.5.27, >= 4.6.0, < 4.6.24, >= 4.7.0, < 4.7.24, >= 4.8.0, < 4.8.20, >= 4.9.0, < 4.9.21, >= 5.0.0, < 5.0.17, >= 5.1.0, < 5.1.14, >= 5.2.0, < 5.2.16, >= 5.3.0, < 5.3.13, >= 5.4.0, < 5.4.11, >= 5.5.0, < 5.5.10, >= 5.6.0, < 5.6.9, >= 5.7.0, < 5.7.7, >= 5.8.0, < 5.8.5, >= 5.9.0, < 5.9.4, >= 6.0.0, < 6.0.2
• MEDIUM5.4CVE-2024-30453Server-Side Request Forgery (SSRF) vulnerability in Brave Brave Popup Builder.This issue affects Brave Popup Builder: from n/a through 0.6.…
  from 0, < 0.6.6
• MEDIUM5.4CVE-2024-3755The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege user…
  from 0, < 1.2.2
• MEDIUM5.4CVE-2023-38000Auth. Stored Cross-Site Scripting (XSS) vulnerability in WordPress core and Gutenberg plugin via Navigation Links Block
  >= 5.9.0, < 5.9.8, >= 6.0.0, < 6.0.6, >= 6.1.0, < 6.1.4, >= 6.2.0, < 6.2.3, >= 6.3.0, < 6.3.2
• MEDIUM5.4CVE-2023-2745WordPress Core < 6.2.1 - Directory Traversal
  from 0, < 4.1.38, >= 4.2.0, < 4.2.35, >= 4.3.0, < 4.3.31, >= 4.4.0, < 4.4.30, >= 4.5.0, < 4.5.29, >= 4.6.0, < 4.6.26, >= 4.7.0, < 4.7.26, >= 4.8.0, < 4.8.22, >= 4.9.0, < 4.9.23, >= 5.0.0, < 5.0.19, >= 5.1.0, < 5.1.16, >= 5.2.0, < 5.2.18, >= 5.3.0, < 5.3.15, >= 5.4.0, < 5.4.13, >= 5.5.0, < 5.5.12, >= 5.6.0, < 5.6.11, >= 5.7.0, < 5.7.9, >= 5.8.0, < 5.8.7, >= 5.9.0, < 5.9.6, >= 6.0.0, < 6.0.4, >= 6.1.0, < 6.1.2, >= 6.2.0, < 6.2.1
• MEDIUM5.4CVE-2022-21662Stored XSS in WordPress
  from 0, < 5.8.3
• MEDIUM5.4CVE-2021-39201Authenticated cross-site scripting (XSS) in WordPress editor
  >= 5.0.0, < 5.8.0
• MEDIUM5.4CVE-2020-4046Authenticated XSS through embed block in WordPress
  >= 3.7.0, < 3.7.34, >= 3.8.0, < 3.8.34, >= 3.9.0, < 3.9.32, >= 4.0.0, < 4.0.31, >= 4.1.0, < 4.1.31, >= 4.2.0, < 4.2.28, >= 4.3.0, < 4.3.24, >= 4.4.0, < 4.4.23, >= 4.5.0, < 4.5.22, >= 4.6.0, < 4.6.19, >= 4.7.0, < 4.7.18, >= 4.8.0, < 4.8.14, >= 4.9.0, < 4.9.15, >= 5.0.0, < 5.0.10, >= 5.1.0, < 5.1.6, >= 5.2.0, < 5.2.7, >= 5.3.0, < 5.3.4, >= 5.4.0, < 5.4.2
• MEDIUM5.4CVE-2020-11030Cross-site scripting (XSS) in Search block in WordPress
  from 0, < 5.4.1
• MEDIUM5.4CVE-2020-11026Specially crafted filenames in WordPress leading to XSS
  >= 3.7.0, < 3.7.33, >= 3.8.0, < 3.8.33, >= 3.9.0, < 3.9.31, >= 4.0.0, < 4.0.30, >= 4.1.0, < 4.1.30, >= 4.2.0, < 4.2.27, >= 4.3.0, < 4.3.23, >= 4.4.0, < 4.4.22, >= 4.5.0, < 4.5.21, >= 4.6.0, < 4.6.18, >= 4.7.0, < 4.7.17, >= 4.8.0, < 4.8.13, >= 4.9.0, < 4.9.14, >= 5.0.0, < 5.0.9, >= 5.1.0, < 5.1.5, >= 5.2.0, < 5.2.6, >= 5.3.0, < 5.3.3, >= 5.4.0, < 5.4.1
• MEDIUM5.4CVE-2020-11025Authenticated cross-site scripting (XSS) in WordPress Customizer
  >= 4.7.0, < 5.4.1
• MEDIUM5.3CVE-2024-12028The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in al…
  from 0, < 3.2.2
• MEDIUM5.3CVE-2023-5692WordPress Core <= 6.4.3 - Sensitive Information Exposure via redirect_guess_404_permalink
  from 0, < 6.5.0
• MEDIUM5.3CVE-2023-22622WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the s…
  from 0, < 6.1.2
• MEDIUM5.3CVE-2023-5561WordPress < 6.3.2 - Unauthenticated Post Author Email Disclosure
  >= 4.7.0, < 4.7.27, >= 4.8.0, < 4.8.23, >= 4.9.0, < 4.9.24, >= 5.0.0, < 5.0.20, >= 5.1.0, < 5.1.17, >= 5.2.0, < 5.2.19, >= 5.3.0, < 5.3.16, >= 5.4.0, < 5.4.14, >= 5.5.0, < 5.5.13, >= 5.6.0, < 5.6.12, >= 5.7.0, < 5.7.10, >= 5.8.0, < 5.8.8, >= 5.9.0, < 5.9.8, >= 6.0.0, < 6.0.6, >= 6.1.0, < 6.1.4, >= 6.2.0, < 6.2.3, >= 6.3.0, < 6.3.2
• MEDIUM5.3CVE-2022-43504Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email add…
  from 0, < 3.7.40, >= 3.8.0, < 3.8.40, >= 3.9.0, < 3.9.39, >= 4.0.0, < 4.0.37, >= 4.1.0, < 4.1.37, >= 4.2.0, < 4.2.34, >= 4.3.0, < 4.3.30, >= 4.4.0, < 4.4.29, >= 4.5.0, < 4.5.28, >= 4.6.0, < 4.6.25, >= 4.7.0, < 4.7.25, >= 4.8.0, < 4.8.21, >= 4.9.0, < 4.9.22, >= 5.0.0, < 5.0.18, >= 5.1.0, < 5.1.15, >= 5.2.0, < 5.2.17, >= 5.3.0, < 5.3.14, >= 5.4.0, < 5.4.12, >= 5.5.0, < 5.5.11, >= 5.6.0, < 5.6.10, >= 5.7.0, < 5.7.8, >= 5.8.0, < 5.8.6, >= 5.9.0, < 5.9.5, >= 6.0.0, < 6.0.3
• MEDIUM5.3CVE-2021-39200Information Disclosure in wp_die() via JSONP in wordpress
  >= 5.2.0, < 5.8.1
• MEDIUM5.3CVE-2020-25286wordpress - security update
  from 0, < 5.4.2
• MEDIUM5.0CVE-2024-32111WordPress core < 6.5.5 - Auth. Arbitrary .html File Read (Windows Only) vulnerability
  >= 4.1.0, < 4.1.41, >= 4.2.0, < 4.2.38, >= 4.3.0, < 4.3.34, >= 4.4.0, < 4.4.33, >= 4.5.0, < 4.5.32, >= 4.6.0, < 4.6.29, >= 4.7.0, < 4.7.29, >= 4.8.0, < 4.8.25, >= 4.9.0, < 4.9.26, >= 5.0.0, < 5.0.22, >= 5.1.0, < 5.1.19, >= 5.2.0, < 5.2.21, >= 5.3.0, < 5.3.18, >= 5.4.0, < 5.4.16, >= 5.5.0, < 5.5.15, >= 5.6.0, < 5.6.14, >= 5.7.0, < 5.7.12, >= 5.8.0, < 5.8.10, >= 5.9.0, < 5.9.10, >= 6.0.0, < 6.0.9, >= 6.1.0, < 6.1.7, >= 6.2.0, < 6.2.6, >= 6.3.0, < 6.3.5, >= 6.4.0, < 6.4.5, >= 6.5.0, < 6.5.5
• MEDIUM4.8CVE-2024-3992The Amen WordPress plugin through 3.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as a…
  from 0, < 3.3.2
• MEDIUM4.3CVE-2026-3906WordPress 6.9 - 6.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Note Creation via REST API
  >= 6.9.0, < 6.9.2
• MEDIUM4.3CVE-2025-58246WordPress <= 6.8.2 - (Contributor+) Sensitive Data Exposure Vulnerability
  from 0, < 6.8.3
• MEDIUM4.3CVE-2024-43337Cross-Site Request Forgery (CSRF) vulnerability in Brave Brave Popup Builder.This issue affects Brave Popup Builder: from n/a through 0.7.0.
  from 0, < 0.7.1
• MEDIUM4.3CVE-2023-28492Missing Authorization vulnerability in CodePeople CP Multi View Event Calendar allows Functionality Misuse.This issue affects CP Multi View…
  from 0, < 1.4.11
• MEDIUM4.3CVE-2023-39999WordPress < 6.3.2 is vulnerable to Broken Access Control
  >= 4.1.0, < 4.1.39, >= 4.2.0, < 4.2.36, >= 4.3.0, < 4.3.32, >= 4.4.0, < 4.4.31, >= 4.5.0, < 4.5.30, >= 4.6.0, < 4.6.27, >= 4.7.0, < 4.7.27, >= 4.8.0, < 4.8.23, >= 4.9.0, < 4.9.24, >= 5.0.0, < 5.0.20, >= 5.1.0, < 5.1.17, >= 5.2.0, < 5.2.19, >= 5.3.0, < 5.3.16, >= 5.4.0, < 5.4.14, >= 5.5.0, < 5.5.13, >= 5.6.0, < 5.6.12, >= 5.7.0, < 5.7.10, >= 5.8.0, < 5.8.8, >= 5.9.0, < 5.9.8, >= 6.0.0, < 6.0.6, >= 6.1.0, < 6.1.4, >= 6.2.0, < 6.2.3, >= 6.3.0, < 6.3.2
• MEDIUM4.3CVE-2021-29450WordPress Authenticated disclosure of password-protected posts and pages
  >= 4.7.0, < 5.7.1
• MEDIUM4.3CVE-2020-28040WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.
  from 0, < 5.5.2
• LOW3.8CVE-2023-23814Missing Authorization vulnerability in CodePeople CP Multi View Event Calendar allows Exploiting Incorrectly Configured Access Control Secu…
  from 0, < 1.4.15
• LOW3.1CVE-2020-4050set-screen-option filter misuse by plugins leading to privilege escalation in WordPress
  >= 3.7.0, < 3.7.34, >= 3.8.0, < 3.8.34, >= 3.9.0, < 3.9.32, >= 4.0.0, < 4.0.31, >= 4.1.0, < 4.1.31, >= 4.2.0, < 4.2.28, >= 4.3.0, < 4.3.24, >= 4.4.0, < 4.4.23, >= 4.5.0, < 4.5.22, >= 4.6.0, < 4.6.19, >= 4.7.0, < 4.7.18, >= 4.8.0, < 4.8.14, >= 4.9.0, < 4.9.15, >= 5.0.0, < 5.0.10, >= 5.1.0, < 5.1.6, >= 5.2.0, < 5.2.7, >= 5.3.0, < 5.3.4, >= 5.4.0, < 5.4.2
• LOW2.4CVE-2020-4049Authenticated self-XSS via theme uploads in WordPress
  >= 3.7.0, < 3.7.34, >= 3.8.0, < 3.8.34, >= 3.9.0, < 3.9.32, >= 4.0.0, < 4.0.31, >= 4.1.0, < 4.1.31, >= 4.2.0, < 4.2.28, >= 4.3.0, < 4.3.24, >= 4.4.0, < 4.4.23, >= 4.5.0, < 4.5.22, >= 4.6.0, < 4.6.19, >= 4.7.0, < 4.7.18, >= 4.8.0, < 4.8.14, >= 4.9.0, < 4.9.15, >= 5.0.0, < 5.0.10, >= 5.1.0, < 5.1.6, >= 5.2.0, < 5.2.7, >= 5.3.0, < 5.3.4, >= 5.4.0, < 5.4.2