Exposure of WordPress

Blogs, CMS

2,065

exposure score

2,932,393

sites use

0

exploited

174

critical

Vexday analysis

WordPress acumula 2.381 CVEs catalogadas, com 174 classificadas como críticas e 95 surgidas apenas nos últimos 90 dias, o que indica um fluxo contínuo e elevado de novas vulnerabilidades para a plataforma. A falha mais comum é CWE-79 (Cross-Site Scripting), refletindo a superfície de ataque característica de ambientes com grande volume de plugins e temas de terceiros. Embora a taxa de exploração ativa esteja abaixo da média geral do catálogo CISA KEV, o EPSS máximo observado chega a 0,977, e o CVE-2022-21661 — uma vulnerabilidade de consulta SQL — apresenta EPSS de 0,978, sinalizando altíssima probabilidade de exploração e merecendo atenção prioritária em qualquer plano de remediação. Equipes de segurança devem monitorar ativamente o ritmo de publicações recentes e manter políticas rigorosas de atualização, especialmente em instalações com extensões de terceiros.

CVEs

2,387 results

CVE-2021-24544—Responsive WordPress Slider <= 2.2.0 - Subscriber+ Stored Cross-Site ScriptingEPSS 0.6%CVE-2021-24969—Download Manager < 3.2.22 - Subscriber+ Stored Cross-Site ScriptingEPSS 0.6%CVE-2021-24654—User Registration < 2.0.2 - Low Privilege Stored Cross-Site ScriptingEPSS 0.6%CVE-2024-0907MEDIUMNEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 - Missing Authorization via restore_records()EPSS 0.6%CVE-2024-1129MEDIUMNEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 - Missing Authorization via set_starred()EPSS 0.6%CVE-2024-1130MEDIUMNEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 - Missing Authorization via set_read()EPSS 0.6%CVE-2021-24623—WordPress Advanced Ticket System < 1.0.64 - Authenticated Stored Cross-Site Scripting (XSS)EPSS 0.6%CVE-2021-24381—NinjaForms < 3.5.8.2 - Admin+ Stored Cross-Site ScriptingEPSS 0.6%CVE-2021-24230—Patreon WordPress < 1.7.0 - CSRF to Overwrite/Create User MetaEPSS 0.6%CVE-2021-24787—Client Invoicing by Sprout Invoices < 19.9.7 - Admin+ Stored Cross-Site ScriptingEPSS 0.6%CVE-2021-24744—WordPress Contact Forms by Cimatti < 1.4.12 - Admin+ Stored Cross-Site ScriptingEPSS 0.6%CVE-2021-24708—WP All Export < 1.3.1 - Admin+ Stored Cross-Site ScriptingEPSS 0.6%CVE-2021-24718—ARForms Form Builder < 1.5 - Admin+ Stored Cross Site ScriptingEPSS 0.6%CVE-2021-24714—WP All Import < 3.6.3 - Admin+ Stored Cross-Site ScriptingEPSS 0.6%CVE-2021-24673—Appointment Hour Booking < 1.3.16 - Authenticated Stored Cross-Site ScriptingEPSS 0.6%CVE-2022-29417MEDIUMWordPress ShortPixel Adaptive Images plugin <= 3.3.1 - Subscriber+ Plugin Settings Update vulnerabilityEPSS 0.6%CVE-2024-37259HIGHWordPress WP Extended plugin <= 2.4.7 - Cross Site Scripting (XSS) vulnerabilityEPSS 0.6%CVE-2026-7459HIGHSimple History – Track, Log, and Audit WordPress Changes <= 5.26.0 - Authenticated (Subscriber+) Account Takeover via Missing Authorization on Event Reaction EndpointEPSS 0.6%CVE-2022-2190MEDIUMEnvira Gallery Lite < 1.8.4.7 - Reflected Cross-Site ScriptingEPSS 0.6%CVE-2022-43492MEDIUMWordPress Comments – wpDiscuz plugin 7.4.2 - Auth. Insecure Direct Object References (IDOR) vulnerabilityEPSS 0.6%

← previouspage 33 / 120next →

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →