CVE-2019-16220 — Vulnetix

CVE-2019-16220 PUBLISHED

In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash.

EPSS 0.82% · 74.8th percentile

Risk Scores

EPSS Score

0.82%

74.8th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:25.10	wordpress	6.7.2+dfsg1-1.1ubuntu1, 0
Ubuntu:18.04:LTS	wordpress	*, 0, 4.8.2+dfsg-2
Ubuntu:20.04:LTS	wordpress	0, 5.2.2+dfsg1-1, 5.2.4+dfsg1-1
Ubuntu:16.04:LTS	wordpress	0, ,
Ubuntu:24.04:LTS	wordpress	6.2+dfsg1-1ubuntu1, 6.4.3+dfsg1-1ubuntu1, 0
Ubuntu:22.04:LTS	wordpress	0, 5.7.1+dfsg1-2ubuntu1, 5.8.1+dfsg1-2ubuntu1

Exploit Intelligence

Timeline

Sep 11, 2019 CVE Published
Apr 14, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Mar 7, 2023 EPSS Score
Aug 21, 2024 CVE Updated
Mar 23, 2025 EPSS Score
Mar 24, 2025 EPSS Score
Mar 29, 2025 EPSS Score
May 1, 2025 EPSS Score
May 4, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2019-16220 third-party-advisory
https://core.trac.wordpress.org/changeset/45971 third-party-advisory
https://github.com/WordPress/WordPress/commit/c86ee39ff4c1a79b93c967eb88522f5c09614a28 third-party-advisory
https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/ third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2019-16220 third-party-advisory

Open in Interactive Console →