WordPress - HackerOne Reports
View on HackerOne82
Total Reports
4
Critical
18
High
31
Medium
19
Low
Wordpress 4.8.1 - Rogue editor leads to RCE. And the risks of same origin frame scripting in general
Reported by:
skansing
|
Disclosed:
High
Buddypress 2.9.1 - Exceeding the maximum upload size - XSS leading to potential RCE.
Reported by:
skansing
|
Disclosed:
Medium
Mssing Authorization on Private Message replies (BuddyPress)
Reported by:
klmunday
|
Disclosed:
Low
Weakness: Improper Access Control - Generic
Stored XSS in Private Message component (BuddyPress)
Reported by:
klmunday
|
Disclosed:
Critical
Weakness: Cross-site Scripting (XSS) - Stored
Clickjacking on donation page
Reported by:
b0d8e6c576cada9bb87be7b
|
Disclosed:
Low
Weakness: UI Redressing (Clickjacking)
Authenticated Stored Cross-site Scripting in bbPress
Reported by:
whoisbinit
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Stored
Arbitrary change of blog's background image via CSRF
Reported by:
erwan_lr
|
Disclosed:
Medium
Weakness: Cross-Site Request Forgery (CSRF)
Open API For Username enumeration
Reported by:
sameerphad72
|
Disclosed:
Low
PII of users can be downloaded from export pages
Reported by:
chip_sec
|
Disclosed:
Medium
Weakness: Information Disclosure
Clickjacking - https://mercantile.wordpress.org/
Reported by:
giantfire
|
Disclosed:
Low
Weakness: UI Redressing (Clickjacking)
Arbitrary file deletion in wp-core - guides towards RCE and information disclosure
Reported by:
b258ea62bf297b02afa9854
|
Disclosed:
Critical
Weakness: Path Traversal
CSRF to HTML Injection in Comments
Reported by:
simonscannell
|
Disclosed:
High
Weakness: Cross-Site Request Forgery (CSRF)
[Buddypress] Arbitrary File Deletion through bp_avatar_set
Reported by:
mopman
|
Disclosed:
High
CSRF to add admin [wordpress]
Reported by:
abdullah
|
Disclosed:
Weakness: Cross-Site Request Forgery (CSRF)
Information / sensitive data disclosure on some endpoints
Reported by:
europa
|
Disclosed:
Medium
Weakness: Information Disclosure
Wordpress 4.7.2 - Two XSS in Media Upload when file too large.
Reported by:
skansing
|
Disclosed:
High
Weakness: Cross-site Scripting (XSS) - Generic
[support.wordcamp.org] - publicly accessible .svn repository
Reported by:
kazan71p
|
Disclosed:
Weakness: Improper Access Control - Generic
Open Redirect on the nl.wordpress.net
Reported by:
sp1d3rs
|
Disclosed:
Low
Weakness: Open Redirect
Clickjacking mercantile.wordpress.org
Reported by:
villagelad
|
Disclosed:
Low
Weakness: UI Redressing (Clickjacking)
Authenticated XXE
Reported by:
sonarsource
|
Disclosed:
Medium
Weakness: XML External Entities (XXE)
Page 1 of 5
Next