Exposure of WordPress

Blogs, CMS
2,045
exposure score
2,932,393
sites use
0
exploited
174
critical
Vexday analysis

WordPress acumula 2.381 CVEs catalogadas, com 174 classificadas como críticas e 95 surgidas apenas nos últimos 90 dias, o que indica um fluxo contínuo e elevado de novas vulnerabilidades para a plataforma. A falha mais comum é CWE-79 (Cross-Site Scripting), refletindo a superfície de ataque característica de ambientes com grande volume de plugins e temas de terceiros. Embora a taxa de exploração ativa esteja abaixo da média geral do catálogo CISA KEV, o EPSS máximo observado chega a 0,977, e o CVE-2022-21661 — uma vulnerabilidade de consulta SQL — apresenta EPSS de 0,978, sinalizando altíssima probabilidade de exploração e merecendo atenção prioritária em qualquer plano de remediação. Equipes de segurança devem monitorar ativamente o ritmo de publicações recentes e manter políticas rigorosas de atualização, especialmente em instalações com extensões de terceiros.

CVEs

2,381 results
CVE-2022-38070MEDIUMWordPress Pop-up plugin <= 1.1.5 - Privilege Escalation vulnerabilityEPSS 0.8%CVE-2023-5949SmartCrawl WordPress SEO checker < 3.8.3 - Unauthenticated Password Protected Post DisclosureEPSS 0.8%CVE-2024-13770HIGHPuzzles | WP Magazine / Review with Store WordPress Theme + RTL <= 4.2.4 - Unauthenticated PHP Object InjectionEPSS 0.8%CVE-2024-12272HIGHWP Travel Engine – Elementor Widgets | Create Travel Booking Website Using WordPress and Elementor <= 1.3.7 - Authenticated (Contributor+) Local File InclusionEPSS 0.8%CVE-2023-2111MEDIUMHollerBox < 2.1.4 - Admin+ SQL InjectionEPSS 0.8%CVE-2021-4363MEDIUMWP Quick FrontEnd Editor <= 5.5 - Reflected Cross-Site ScriptingEPSS 0.8%CVE-2021-36875MEDIUMWordPress uListing plugin <= 2.0.5 - Auth. Reflected Cross-Site Scripting (XSS) vulnerabilityEPSS 0.7%CVE-2023-29432HIGHWordPress Houzez Theme < 2.8.3 is vulnerable to SQL InjectionEPSS 0.7%CVE-2024-12626CRITICALAutomatorWP <= 5.0.9 - Reflected Cross-Site Scripting via a-0-o-search_field_valueEPSS 0.7%CVE-2022-36376MEDIUMWordPress Rank Math SEO plugin <= 1.0.95 - Server-Side Request Forgery (SSRF) vulnerabilityEPSS 0.7%CVE-2021-36901MEDIUMWordPress Age Gate plugin <= 2.17.0 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerabilityEPSS 0.7%CVE-2023-5692MEDIUMWordPress Core <= 6.4.3 - Sensitive Information Exposure via redirect_guess_404_permalinkEPSS 0.7%CVE-2024-11816HIGHThe Ultimate WordPress Toolkit – WP Extended <= 3.0.11 - Missing Authorization to Authenticated (Subscriber+) Remote Code ExecutionEPSS 0.7%CVE-2023-48764HIGHWordPress WordPress Brute Force Protection – Stop Brute Force Attacks Plugin <= 2.2.5 is vulnerable to SQL InjectionEPSS 0.7%CVE-2021-25103GTranslate < 2.9.7 - Reflected Cross-Site ScriptingEPSS 0.7%CVE-2024-6847CRITICALSmartSearch WP <= 2.4.4 - Unauthenticated SQLiEPSS 0.7%CVE-2022-36394HIGHWordPress Contest Gallery plugin <= 17.0.4 - Authenticated SQL Injection (SQLi) vulnerabilityEPSS 0.7%CVE-2025-2101HIGHEdumall <= 4.2.4 - Unauthenticated Local File InclusionEPSS 0.7%CVE-2022-36387HIGHWordPress About Me plugin <= 1.0.12 - Broken Access Control vulnerabilityEPSS 0.7%CVE-2023-46154MEDIUMWordPress e2pdf Plugin <= 1.20.18 is vulnerable to PHP Object InjectionEPSS 0.7%

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →