“CVEs”的版本间的差异

来自WordPress中文文档
跳转至: 导航搜索
(cleaned up to match the Codex Guidlines - great work!)
 
(1个版本)
 
(未显示3个用户的4个中间版本)
第1行: 第1行:
CVE stands for Common Vulnerabilities and Exposures, which is an industry standard way to track security issues in software applications. They are tracked centrally in the [http://nvd.nist.gov/ National Vulnerability Database] run by the Department of Homeland Security.
+
CVE stands for Common Vulnerabilities and Exposures, which is an industry standard way to track security issues in software applications. They are tracked centrally in the [http://nvd.nist.gov/ National Vulnerability Database] [http://web.nvd.nist.gov/view/vuln/search?execution=e1s1 2]. NVD is a product of the [http://csrc.nist.gov/ NIST Computer Security Division].
  
Although many CVEs mention WordPress, only a few are applicable. Here is a list of CVEs that mention WordPress, organized by year, and whether the CVE impacts WordPress Plugins, the core programming, WordPress.com, or another aspect of WordPress, as well as which version of WordPress was impacted.
+
Although many CVEs mention WordPress, only a few are applicable. Here is a list of CVEs that mention WordPress, organized by year, and whether the CVE impacts WordPress Plugins, the core programming, WordPress.com, or another aspect of WordPress, as well as which version of WordPress was impacted. The Date used is the date of the report going public and not the day the vulnerability was discovered.
  
 
In terms of security of your WordPress blog, being on the [http://www.wordpress.org/download/ latest version of WordPress] is all you need. WordPress generally fixes vulnerabilities and releases an upgrade or security update version before they become public and are issued a CVE.
 
In terms of security of your WordPress blog, being on the [http://www.wordpress.org/download/ latest version of WordPress] is all you need. WordPress generally fixes vulnerabilities and releases an upgrade or security update version before they become public and are issued a CVE.
 +
 +
WordPress uses third party applications like the Apache webserver, the PHP scripting language and the MySQL database. You should keep these versions current as well. Reports for these third party applications are not listed on this page.
 +
 +
Additionally you can take precaution actions by using [http://www.hardened-php.net/suhosin/ Suhosin], an advanced protection system for PHP installations.
 +
 +
== 2010 ==
 +
1 total CVEs, 1 apply to core, 0 to legacy, and 0 are invalid. (for 2010 only core CVEs listed here)
 +
<table>
 +
<tr>
 +
<th width="125">CVE ID</th>
 +
<th width="100">Date</th>
 +
<th width="125">Impact</th>
 +
<th>Notes</th>
 +
</tr>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2010-0682 CVE-2010-0682]</td><td>2010-02-23</td><td>Core</td><td>Unauthorized Disclosure</td></tr>
 +
</table>
 +
 +
== 2009 ==
 +
16 total CVEs, 1 apply to plugins, 15 apply to core, 0 to legacy, and 0 are invalid. (for 2009 mostly core CVEs listed here, too many plugins)
 +
<table>
 +
<tr>
 +
<th width="125">CVE ID</th>
 +
<th width="100">Date</th>
 +
<th width="125">Impact</th>
 +
<th>Notes</th>
 +
</tr>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-3891 CVE-2009-3891]</td><td>2009-11-17</td><td>Core</td><td>XSS</td>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-3890 CVE-2009-3890]</td><td>2009-11-17</td><td>Core</td><td>File Upload Bypass</td>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-3622 CVE-2009-3622]</td><td>2009-10-23</td><td>Core</td><td>Denial Of Service</td>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-2854 CVE-2009-2854]</td><td>2009-08-18</td><td>Core</td><td>Boundary Escalation</td>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-2853 CVE-2009-2853]</td><td>2009-08-18</td><td>Core</td><td>Privelege Escalation</td>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-2851 CVE-2009-2851]</td><td>2009-08-18</td><td>Core</td><td>XSS</td>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-2762 CVE-2009-2762]</td><td>2009-08-13</td><td>Core</td><td>Password Reset</td>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-2432 CVE-2009-2432]</td><td>2009-07-10</td><td>Core</td><td>Information Disclosure (as well for WPMU)</td>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-2431 CVE-2009-2431]</td><td>2009-07-10</td><td>Core</td><td>Information Disclosure</td>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-2336 CVE-2009-2336]</td><td>2009-07-10</td><td>Core</td><td>User Information Disclosure </td>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-2335 CVE-2009-2335]</td><td>2009-07-10</td><td>Core</td><td>User Information Disclosure</td>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-2334 CVE-2009-2334]</td><td>2009-07-10</td><td>Core</td><td>Privelege Escalation / Information Disclosure</td>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-6767 CVE-2008-6767]</td><td>2009-04-28</td><td>Core</td><td>Denial Of Service</td>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-6762 CVE-2008-6762]</td><td>2009-03-20</td><td>Core</td><td>Open Redirect</td>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-1030 CVE-2009-1030]</td><td>2009-03-20</td><td>Core</td><td>WordPress MU below 2.7</td></tr>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-0968 CVE-2009-0968]</td><td>2009-03-19</td><td>Plugin</td><td>&nbsp;</td></tr>
 +
</table>
  
 
== 2008 ==
 
== 2008 ==
  
42 total CVEs, 33 apply to plugins, 3 apply to core, 2 to legacy, and 4 are invalid.
+
59 total CVEs, 40 apply to plugins, 10 apply to core, 3 to legacy, and 6 are invalid.
 +
 
 +
<table>
 +
<tr>
 +
<th width="125">CVE ID</th>
 +
<th width="100">Date</th>
 +
<th width="125">Impact</th>
 +
<th>Notes</th>
 +
</tr>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-6811 CVE-2008-6811]</td><td>2009-05-18</td><td>Plugin</td><td>&nbsp;</td></tr>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-6767 CVE-2008-6767]</td><td>2009-04-28</td><td>Invalid</td><td>Same Report as in [http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-6762 CVE-2008-6762]</td></tr>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-6762 CVE-2008-6762]</td><td>2009-04-28</td><td>Core</td><td>&nbsp;</td></tr>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-5752 CVE-2008-5752]</td><td>2008-12-30</td><td>Plugin</td><td>&nbsp;</td></tr>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-5695 CVE-2008-5695]</td><td>2008-12-19</td><td>Legacy Core</td><td>WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier</td></tr>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-5278 CVE-2008-5278]</td><td>2008-11-28</td><td>Core</td><td>WordPress before 2.6.5</td></tr>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-5113 CVE-2008-5113]</td><td>2008-11-17</td><td>Core</td><td>WordPress 2.6.3</td></tr>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-4769 CVE-2008-4769]</td><td>2008-10-28</td><td>Core</td><td>WordPress 2.3.3 and earlier, and 2.5</td></tr>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-4734 CVE-2008-4734]</td><td>2008-10-24</td><td>Plugin</td><td>&nbsp;</td></tr>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-4733 CVE-2008-4733]</td><td>2008-10-24</td><td>Plugin</td><td>&nbsp;</td></tr>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-4671 CVE-2008-4671]</td><td>2008-10-22</td><td>Core</td><td>Wordpress MU before 2.6</td></tr>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-4625 CVE-2008-4625]</td><td>2008-10-21</td><td>Plugin</td><td>&nbsp;</td></tr>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-4616 CVE-2008-4616]</td><td>2008-10-20</td><td>Plugin</td><td>&nbsp;</td></tr>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-4106 CVE-2008-4106]</td><td>2008-09-18</td><td>Core</td><td>WordPress before 2.6.2</td></tr>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-3747 CVE-2008-3747]</td><td>2008-08-27</td><td>Core</td><td>WordPress before 2.6.1</td></tr>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-3362 CVE-2008-3362]</td><td>2008-07-30</td><td>Plugin</td><td>&nbsp;</td></tr>
 +
<tr><td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-3233 CVE-2008-3233]</td><td>2008-07-18</td><td>Invalid</td><td>SVN only</td></tr>
 +
 
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-2510 CVE-2008-2510]</td>
 +
<td>2008-05-29</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-2392 CVE-2008-2392]</td>
 +
<td>2008-05-21</td>
 +
<td>Invalid</td>
 +
<td>&quot;Admin&quot; user has ability to edit plugins and upload files if file permissions allow- this is intentional.</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-2146 CVE-2008-2146]</td>
 +
<td>2008-05-12</td>
 +
<td>Invalid</td>
 +
<td>Describes a known issue in WordPress 2.2, which was released more than a year before. (Covered by previous CVE.) The problem described was fixed 9 months before this report.</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-2068 CVE-2008-2068]</td>
 +
<td>2008-05-02</td>
 +
<td>Core</td>
 +
<td>&quot;Unspecified vectors&quot; were never publicly reported, but fixed in 2.5.1. </td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-2034 CVE-2008-2034]</td>
 +
<td>2008-04-30</td>
 +
<td>Plugin</td>
 +
<td></td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-1930 CVE-2008-1930]</td>
 +
<td>2008-04-28</td>
 +
<td>Core</td>
 +
<td>Cookie-based cryptographic splicing attack. Fixed in 2.5.1 prior to disclosure.</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-2146 CVE-2008-2146]</td>
 +
<td>2008-04-27</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-1982 CVE-2008-1982]</td>
 +
<td>2008-04-02</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-1304 CVE-2008-1304]</td>
 +
<td>2008-03-12</td>
 +
<td>WordPress.com</td>
 +
<td>XSS in invite system on WordPress.com, did not apply to WordPress.org blogs at all.</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-1060 CVE-2008-1060]</td>
 +
<td>2008-02-28</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-1059 CVE-2008-1059]</td>
 +
<td>2008-02-28</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0939 CVE-2008-0939]</td>
 +
<td>2008-02-25</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0845 CVE-2008-0845]</td>
 +
<td>2008-02-20</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0837 CVE-2008-0837]</td>
 +
<td>2008-02-20</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0691 CVE-2008-0691]</td>
 +
<td>2008-02-11</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0683 CVE-2008-0683]</td>
 +
<td>2008-02-11</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0682 CVE-2008-0682]</td>
 +
<td>2008-02-11</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0664 CVE-2008-0664]</td>
 +
<td>2008-02-07</td>
 +
<td>Core</td>
 +
<td>If registration was enabled, an undisclosed vulnerability in XML-RPC. Fixed by 2.5 prior to disclosure.</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0618 CVE-2008-0618]</td>
 +
<td>2008-02-06</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0617 CVE-2008-0617]</td>
 +
<td>2008-02-06</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0616 CVE-2008-0616]</td>
 +
<td>2008-02-06</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0615 CVE-2008-0615]</td>
 +
<td>2008-02-06</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0560 CVE-2008-0560]</td>
 +
<td>2008-02-04</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0520 CVE-2008-0520]</td>
 +
<td>2008-01-31</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0508 CVE-2008-0508]</td>
 +
<td>2008-01-31</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0507 CVE-2008-0507]</td>
 +
<td>2008-01-31</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0491 CVE-2008-0491]</td>
 +
<td>2008-01-30</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0490 CVE-2008-0490]</td>
 +
<td>2008-01-30</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0388 CVE-2008-0388]</td>
 +
<td>2008-01-22</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0222 CVE-2008-0222]</td>
 +
<td>2008-01-10</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0206 CVE-2008-0206]</td>
 +
<td>2008-01-09</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0205 CVE-2008-0205]</td>
 +
<td>2008-01-09</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0204 CVE-2008-0204]</td>
 +
<td>2008-01-09</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0198 CVE-2008-0198]</td>
 +
<td>2008-01-09</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0197 CVE-2008-0197]</td>
 +
<td>2008-01-09</td>
 +
<td>Plugin</td>
 +
<td>&nbsp;</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0196 CVE-2008-0196]</td>
 +
<td>2008-01-09</td>
 +
<td>Legacy Core</td>
 +
<td>Problem in legacy 2.0 branch of WordPress, not applicable to current versions.</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0195 CVE-2008-0195]</td>
 +
<td>2008-01-09</td>
 +
<td>Legacy Core</td>
 +
<td>Disclosure in legacy 2.0 branch of WordPress, not applicable to current versions.</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0194 CVE-2008-0194]</td>
 +
<td>2008-01-09</td>
 +
<td>Plugin</td>
 +
<td>Fixed in version 2.1.0 of this plugin, released 7 months prior to this CVE</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0193 CVE-2008-0193]</td>
 +
<td>2008-01-09</td>
 +
<td>Plugin</td>
 +
<td>Fixed in version 2.1.0 of this plugin, released 7 months prior to this CVE</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0192 CVE-2008-0192]</td>
 +
<td>2008-01-09</td>
 +
<td>Invalid</td>
 +
<td>Problem already fixed by 2.0.10 release 9 months before this CVE.</td>
 +
</tr>
 +
<tr>
 +
<td>[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0191 CVE-2008-0191]</td>
 +
<td>2008-01-09</td>
 +
<td>Invalid</td>
 +
<td>Could not recreate in current release (2.3.2) at that time</td>
 +
</tr>
 +
</table>
 +
 
 +
== See Also ==
 +
* [[User:Here/Exploits]]
  
table
+
[[Category:Advanced Topics]]
tr
 
th width=125CVE ID/th
 
th width=100Date/th
 
th width=125Impact/th
 
thNotes/th
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-2510 CVE-2008-2510]/td
 
td2008-05-29/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-2392 CVE-2008-2392]/td
 
td2008-05-21/td
 
tdInvalid/td
 
tdquot;Adminquot; user has ability to edit plugins and upload files if file permissions allow- this is intentional./td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-2146 CVE-2008-2146]/td
 
td2008-05-12/td
 
tdInvalid/td
 
tdDescribes a known issue in WordPress 2.2, which was released more than a year before. (Covered by previous CVE.) The problem described was fixed 9 months before this report./td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-2068 CVE-2008-2068]/td
 
td2008-05-02/td
 
tdCore/td
 
tdquot;Unspecified vectorsquot; were never publicly reported, but fixed in 2.5.1. /td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-2034 CVE-2008-2034]/td
 
td2008-04-30/td
 
tdPlugin/td
 
td/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-1930 CVE-2008-1930]/td
 
td2008-04-28/td
 
tdCore/td
 
tdCookie-based cryptographic splicing attack. Fixed in 2.5.1 prior to disclosure./td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-2146 CVE-2008-2146]/td
 
td2008-04-27/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-1982 CVE-2008-1982]/td
 
td2008-04-02/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-1304 CVE-2008-1304]/td
 
td2008-03-12/td
 
tdWordPress.com/td
 
tdXSS in invite system on WordPress.com, did not apply to WordPress.org blogs at all./td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-1060 CVE-2008-1060]/td
 
td2008-02-28/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-1059 CVE-2008-1059]/td
 
td2008-02-28/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0939 CVE-2008-0939]/td
 
td2008-02-25/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0845 CVE-2008-0845]/td
 
td2008-02-20/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0837 CVE-2008-0837]/td
 
td2008-02-20/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0691 CVE-2008-0691]/td
 
td2008-02-11/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0683 CVE-2008-0683]/td
 
td2008-02-11/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0682 CVE-2008-0682]/td
 
td2008-02-11/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0664 CVE-2008-0664]/td
 
td2008-02-07/td
 
tdCore/td
 
tdIf registration was enabled, an undisclosed vulnerability in XML-RPC. Fixed by 2.5 prior to disclosure./td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0618 CVE-2008-0618]/td
 
td2008-02-06/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0617 CVE-2008-0617]/td
 
td2008-02-06/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0616 CVE-2008-0616]/td
 
td2008-02-06/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0615 CVE-2008-0615]/td
 
td2008-02-06/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0560 CVE-2008-0560]/td
 
td2008-02-04/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0520 CVE-2008-0520]/td
 
td2008-01-31/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0508 CVE-2008-0508]/td
 
td2008-01-31/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0507 CVE-2008-0507]/td
 
td2008-01-31/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0491 CVE-2008-0491]/td
 
td2008-01-30/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0490 CVE-2008-0490]/td
 
td2008-01-30/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0388 CVE-2008-0388]/td
 
td2008-01-22/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0222 CVE-2008-0222]/td
 
td2008-01-10/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0206 CVE-2008-0206]/td
 
td2008-01-09/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0205 CVE-2008-0205]/td
 
td2008-01-09/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0204 CVE-2008-0204]/td
 
td2008-01-09/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0198 CVE-2008-0198]/td
 
td2008-01-09/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0197 CVE-2008-0197]/td
 
td2008-01-09/td
 
tdPlugin/td
 
tdnbsp;/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0196 CVE-2008-0196]/td
 
td2008-01-09/td
 
tdLegacy Core/td
 
tdProblem in legacy 2.0 branch of WordPress, not applicable to current versions./td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0195 CVE-2008-0195]/td
 
td2008-01-09/td
 
tdLegacy Core/td
 
tdDisclosure in legacy 2.0 branch of WordPress, not applicable to current versions./td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0194 CVE-2008-0194]/td
 
td2008-01-09/td
 
tdPlugin/td
 
tdFixed in version 2.1.0 of this plugin, released 7 months prior to this CVE/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0193 CVE-2008-0193]/td
 
td2008-01-09/td
 
tdPlugin/td
 
tdFixed in version 2.1.0 of this plugin, released 7 months prior to this CVE/td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0192 CVE-2008-0192]/td
 
td2008-01-09/td
 
tdInvalid/td
 
tdProblem already fixed by 2.0.10 release 9 months before this CVE./td
 
/tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-0191 CVE-2008-0191]/td
 
td2008-01-09/td
 
tdInvalid/td
 
tdCould not recreate in current release (2.3.2) at that time/td
 
/tr
 
/table
 

2013年8月2日 (五) 04:19的最新版本

CVE stands for Common Vulnerabilities and Exposures, which is an industry standard way to track security issues in software applications. They are tracked centrally in the National Vulnerability Database 2. NVD is a product of the NIST Computer Security Division.

Although many CVEs mention WordPress, only a few are applicable. Here is a list of CVEs that mention WordPress, organized by year, and whether the CVE impacts WordPress Plugins, the core programming, WordPress.com, or another aspect of WordPress, as well as which version of WordPress was impacted. The Date used is the date of the report going public and not the day the vulnerability was discovered.

In terms of security of your WordPress blog, being on the latest version of WordPress is all you need. WordPress generally fixes vulnerabilities and releases an upgrade or security update version before they become public and are issued a CVE.

WordPress uses third party applications like the Apache webserver, the PHP scripting language and the MySQL database. You should keep these versions current as well. Reports for these third party applications are not listed on this page.

Additionally you can take precaution actions by using Suhosin, an advanced protection system for PHP installations.

2010

1 total CVEs, 1 apply to core, 0 to legacy, and 0 are invalid. (for 2010 only core CVEs listed here)

CVE ID Date Impact Notes
CVE-2010-06822010-02-23CoreUnauthorized Disclosure

2009

16 total CVEs, 1 apply to plugins, 15 apply to core, 0 to legacy, and 0 are invalid. (for 2009 mostly core CVEs listed here, too many plugins)

CVE ID Date Impact Notes
CVE-2009-38912009-11-17CoreXSS
CVE-2009-38902009-11-17CoreFile Upload Bypass
CVE-2009-36222009-10-23CoreDenial Of Service
CVE-2009-28542009-08-18CoreBoundary Escalation
CVE-2009-28532009-08-18CorePrivelege Escalation
CVE-2009-28512009-08-18CoreXSS
CVE-2009-27622009-08-13CorePassword Reset
CVE-2009-24322009-07-10CoreInformation Disclosure (as well for WPMU)
CVE-2009-24312009-07-10CoreInformation Disclosure
CVE-2009-23362009-07-10CoreUser Information Disclosure
CVE-2009-23352009-07-10CoreUser Information Disclosure
CVE-2009-23342009-07-10CorePrivelege Escalation / Information Disclosure
CVE-2008-67672009-04-28CoreDenial Of Service
CVE-2008-67622009-03-20CoreOpen Redirect
CVE-2009-10302009-03-20CoreWordPress MU below 2.7
CVE-2009-09682009-03-19Plugin 

2008

59 total CVEs, 40 apply to plugins, 10 apply to core, 3 to legacy, and 6 are invalid.

CVE ID Date Impact Notes
CVE-2008-68112009-05-18Plugin 
CVE-2008-67672009-04-28InvalidSame Report as in CVE-2008-6762
CVE-2008-67622009-04-28Core 
CVE-2008-57522008-12-30Plugin 
CVE-2008-56952008-12-19Legacy CoreWordPress MU before 1.3.2, and WordPress 2.3.2 and earlier
CVE-2008-52782008-11-28CoreWordPress before 2.6.5
CVE-2008-51132008-11-17CoreWordPress 2.6.3
CVE-2008-47692008-10-28CoreWordPress 2.3.3 and earlier, and 2.5
CVE-2008-47342008-10-24Plugin 
CVE-2008-47332008-10-24Plugin 
CVE-2008-46712008-10-22CoreWordpress MU before 2.6
CVE-2008-46252008-10-21Plugin 
CVE-2008-46162008-10-20Plugin 
CVE-2008-41062008-09-18CoreWordPress before 2.6.2
CVE-2008-37472008-08-27CoreWordPress before 2.6.1
CVE-2008-33622008-07-30Plugin 
CVE-2008-32332008-07-18InvalidSVN only
CVE-2008-2510 2008-05-29 Plugin  
CVE-2008-2392 2008-05-21 Invalid "Admin" user has ability to edit plugins and upload files if file permissions allow- this is intentional.
CVE-2008-2146 2008-05-12 Invalid Describes a known issue in WordPress 2.2, which was released more than a year before. (Covered by previous CVE.) The problem described was fixed 9 months before this report.
CVE-2008-2068 2008-05-02 Core "Unspecified vectors" were never publicly reported, but fixed in 2.5.1.
CVE-2008-2034 2008-04-30 Plugin
CVE-2008-1930 2008-04-28 Core Cookie-based cryptographic splicing attack. Fixed in 2.5.1 prior to disclosure.
CVE-2008-2146 2008-04-27 Plugin  
CVE-2008-1982 2008-04-02 Plugin  
CVE-2008-1304 2008-03-12 WordPress.com XSS in invite system on WordPress.com, did not apply to WordPress.org blogs at all.
CVE-2008-1060 2008-02-28 Plugin  
CVE-2008-1059 2008-02-28 Plugin  
CVE-2008-0939 2008-02-25 Plugin  
CVE-2008-0845 2008-02-20 Plugin  
CVE-2008-0837 2008-02-20 Plugin  
CVE-2008-0691 2008-02-11 Plugin  
CVE-2008-0683 2008-02-11 Plugin  
CVE-2008-0682 2008-02-11 Plugin  
CVE-2008-0664 2008-02-07 Core If registration was enabled, an undisclosed vulnerability in XML-RPC. Fixed by 2.5 prior to disclosure.
CVE-2008-0618 2008-02-06 Plugin  
CVE-2008-0617 2008-02-06 Plugin  
CVE-2008-0616 2008-02-06 Plugin  
CVE-2008-0615 2008-02-06 Plugin  
CVE-2008-0560 2008-02-04 Plugin  
CVE-2008-0520 2008-01-31 Plugin  
CVE-2008-0508 2008-01-31 Plugin  
CVE-2008-0507 2008-01-31 Plugin  
CVE-2008-0491 2008-01-30 Plugin  
CVE-2008-0490 2008-01-30 Plugin  
CVE-2008-0388 2008-01-22 Plugin  
CVE-2008-0222 2008-01-10 Plugin  
CVE-2008-0206 2008-01-09 Plugin  
CVE-2008-0205 2008-01-09 Plugin  
CVE-2008-0204 2008-01-09 Plugin  
CVE-2008-0198 2008-01-09 Plugin  
CVE-2008-0197 2008-01-09 Plugin  
CVE-2008-0196 2008-01-09 Legacy Core Problem in legacy 2.0 branch of WordPress, not applicable to current versions.
CVE-2008-0195 2008-01-09 Legacy Core Disclosure in legacy 2.0 branch of WordPress, not applicable to current versions.
CVE-2008-0194 2008-01-09 Plugin Fixed in version 2.1.0 of this plugin, released 7 months prior to this CVE
CVE-2008-0193 2008-01-09 Plugin Fixed in version 2.1.0 of this plugin, released 7 months prior to this CVE
CVE-2008-0192 2008-01-09 Invalid Problem already fixed by 2.0.10 release 9 months before this CVE.
CVE-2008-0191 2008-01-09 Invalid Could not recreate in current release (2.3.2) at that time

See Also