Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.

According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities :

 - A flaw in $wpdb->prepare() can create unsafe queries leading to potential SQL injection flaws with plugins and themes.

 - Multiple cross-site scripting (XSS) vulnerabilities exists due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session.

 - Multiple path traversal vulnerabilities exist in the file unzipping code and customizer. A remote attacker may be able to read arbitrary files subject to the privileges under which the web server runs.

 - An open redirect flaw exists on the user and term edit screens. A remote attacker can exploit this, by tricking a user into following a specially crafted link, to redirect a user to an arbitrary website.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

Several vulnerabilities were discovered in Wordpress, a web blogging tool. They would allow remote attackers to exploit path-traversal issues, perform SQL injections and various cross-site scripting attacks.

wordpress developers report :

Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL.

Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name.

Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.

Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name.

Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename.

Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.

Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.

According to its self-reported version number, the WordPress application running on the remote web server is prior to 4.8.2.
It is, therefore, affected by multiple vulnerabilities :

  - A flaw in $wpdb->prepare() can create unsafe queries     leading to potential SQL injection flaws with plugins     and themes.

  - Multiple cross-site scripting (XSS) vulnerabilities     exists due to improper sanitization of user-supplied     input.  An unauthenticated, remote attacker can     exploit this, via a specially crafted request, to     execute arbitrary script code in a user's browser     session. 

  - Multiple path traversal vulnerabilities exist in the     file unzipping code and customizer. A remote attacker     may be able to read arbitrary files subject to the     privileges under which the web server runs.

  - An open redirect flaw exists on the user and term edit     screens. A remote attacker can exploit this, by     tricking a user into following a specially crafted link,     to redirect a user to an arbitrary website.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
98305	WordPress 3.7.x < 3.7.22 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98304	WordPress 3.8.x < 3.8.22 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98303	WordPress 3.9.x < 3.9.20 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98302	WordPress 4.0.x < 4.0.19 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98301	WordPress 4.1.x < 4.1.19 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98300	WordPress 4.2.x < 4.2.16 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98299	WordPress 4.3.x < 4.3.12 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98298	WordPress 4.4.x < 4.4.11 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98297	WordPress 4.5.x < 4.5.10 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98296	WordPress 4.6.x < 4.6.7 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98295	WordPress 4.7.x < 4.7.6 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98294	WordPress 4.8.x < 4.8.2 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
103793	Debian DSA-3997-1 : wordpress - security update	Nessus	Debian Local Security Checks	critical
103585	FreeBSD : wordpress -- multiple issues (a48d4478-e23f-4085-8ae4-6b3a7b6f016b)	Nessus	FreeBSD Local Security Checks	high
103358	WordPress < 4.8.2 Multiple Vulnerabilities	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2017-14724

medium

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

high

critical