Exposición de WordPress

Blogs, CMS

2061

score de exposición

2.932.393

sitios usan

en explotación

174

críticos

Análisis Vexday

WordPress acumula 2.381 CVEs catalogadas, com 174 classificadas como críticas e 95 surgidas apenas nos últimos 90 dias, o que indica um fluxo contínuo e elevado de novas vulnerabilidades para a plataforma. A falha mais comum é CWE-79 (Cross-Site Scripting), refletindo a superfície de ataque característica de ambientes com grande volume de plugins e temas de terceiros. Embora a taxa de exploração ativa esteja abaixo da média geral do catálogo CISA KEV, o EPSS máximo observado chega a 0,977, e o CVE-2022-21661 — uma vulnerabilidade de consulta SQL — apresenta EPSS de 0,978, sinalizando altíssima probabilidade de exploração e merecendo atenção prioritária em qualquer plano de remediação. Equipes de segurança devem monitorar ativamente o ritmo de publicações recentes e manter políticas rigorosas de atualização, especialmente em instalações com extensões de terceiros.

CVEs

2387 resultados

CVE-2025-39545MEDIUMWordPress REST API Authentication plugin <= 3.6.3 - Settings Change VulnerabilityEPSS 0.4%CVE-2025-12137MEDIUMImport WP – Export and Import CSV and XML files to WordPress <= 2.14.16 - Authenticated (Admin+) Arbitrary File ReadEPSS 0.4%CVE-2024-4305MEDIUMPostX < 4.1.0 - Contributor+ Stored XSSEPSS 0.4%CVE-2023-5742MEDIUMEasyRotator for WordPress <= 1.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via ShortcodeEPSS 0.4%CVE-2022-29495MEDIUMWordPress Popup Builder plugin <= 4.1.11 - Cross-Site Request Forgery (CSRF) leading to plugin settings updateEPSS 0.4%CVE-2024-33931MEDIUMWordPress JW Player for WordPress plugin <= 2.3.3 - Broken Access Control vulnerabilityEPSS 0.4%CVE-2021-36905MEDIUMWordPress Quiz And Survey Master plugin <= 7.3.4 - Multiple Auth. Stored Cross-Site Scripting (XSS) vulnerabilitiesEPSS 0.4%CVE-2021-36876MEDIUMWordPress uListing plugin <= 2.0.5 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilitiesEPSS 0.4%CVE-2024-0595MEDIUMAwesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 - Missing Authorization via wpas_get_users()EPSS 0.4%CVE-2025-6989HIGHKallyas <= 4.21.0 - Authenticated (Contributor+) Arbitrary Folder DeletionEPSS 0.4%CVE-2023-47191MEDIUMWordPress Youzify Plugin <= 1.2.2 is vulnerable to Insecure Direct Object References (IDOR)EPSS 0.4%CVE-2021-36877MEDIUMWordPress uListing plugin <= 2.0.5 - Modify User Roles via Cross-Site Request Forgery (CSRF) vulnerabilityEPSS 0.4%CVE-2024-11069MEDIUMWordPress GDPR <= 2.0.2 - Missing Authorization to Unauthenticated Arbitrary User DeletionEPSS 0.4%CVE-2022-37328LOWWordPress History Timeline plugin <= 1.0.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerabilityEPSS 0.4%CVE-2024-13562HIGHImport WP – Export and Import CSV and XML files to WordPress <= 2.14.5 - Unauthenticated Sensitive Information Exposure Through Unprotected DirectoryEPSS 0.4%CVE-2022-4541HIGHWordPress Visitors <= 1.0 - Unauthenticated Stored Cross-Site Scripting via HTTP HeaderEPSS 0.4%CVE-2024-1463MEDIUMLearnPress <= 4.2.6.3 - Authenticated(LP Instructor+) Stored Cross-Site ScriptingEPSS 0.4%CVE-2021-24968—Ultimate FAQ < 2.1.2 - Subscriber+ Arbitrary FAQ CreationEPSS 0.4%CVE-2023-5738—WordPress Backup & Migration < 1.4.5 - Subscriber+ Stored XSSEPSS 0.4%CVE-2024-13232HIGHWordPress Awesome Import & Export Plugin - Import & Export WordPress Data <= 4.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary SQL Execution/Privilege EscalationEPSS 0.4%

← anteriorpágina 57 / 120siguiente →

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →