CVSS: 7.5EPSS: 0%CPEs: 21EXPL: 0CVE-2012-4920 – Forums < 1.4.4 - Directory Traversal
https://notcve.org/view.php?id=CVE-2012-4920
Directory traversal vulnerability in the zing_forum_output function in forum.php in the Zingiri Forum (aka Forums) plugin before 1.4.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the url parameter to index.php. Vulnerabilidad de salto de directorio en la función zing_forum_output en forum.php en el plugin Zingiri Forum (también conocido como Forums) anterior a 1.4.4 para WordPress permite a atacantes remotos leer archivos arbitrarios a través de un .. (punto punto) en el parámetro url hacia index.php. • http://osvdb.org/89069 http://secunia.com/advisories/50833 http://wordpress.org/plugins/zingiri-forum/changelog https://exchange.xforce.ibmcloud.com/vulnerabilities/81156 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 3CVE-2012-6506 – Zingiri Web Shop Plugin <= 2.4.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-6506
Multiple cross-site scripting (XSS) vulnerabilities in the Zingiri Web Shop plugin 2.4.0 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter in zing.inc.php or (2) notes parameter in fws/pages-front/onecheckout.php. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en el plugin Zingiri Web Shop versión 2.4.0 para WordPress, permiten a los atacantes remotos inyectar script web o HTML arbitrario por medio de los parámetros (1) page en el archivo zing.inc.php o (2) notes en el archivo fws/pages-front/onecheckout.php. Multiple cross-site scripting (XSS) vulnerabilities in the Zingiri Web Shop plugin 2.4.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter in zing.inc.php or (2) notes parameter in fws/pages-front/onecheckout.php. • https://www.exploit-db.com/exploits/18787 http://plugins.trac.wordpress.org/changeset?reponame=&old=537613%40zingiri-web-shop&new=537613%40zingiri-web-shop http://secunia.com/advisories/48991 http://wordpress.org/extend/plugins/zingiri-web-shop/changelog http://www.exploit-db.com/exploits/18787 http://www.osvdb.org/81492 http://www.osvdb.org/81493 http://www.securityfocus.com/bid/53278 https://exchange.xforce.ibmcloud.com/vulnerabilities/75178 https://exchange.xforce.ibmcloud.com/v • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 76EXPL: 0CVE-2012-4033 – Zingiri Web Shop < 2.4.0 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-4033
Multiple unspecified vulnerabilities in the Zingiri Web Shop plugin before 2.4.0 for WordPress have unknown impact and attack vectors. Múltiples vulnerabilidades no especificadas en el plug-in Zingiri Web Shop antes de v2.4.0 para WordPress tienen un impacto y vectores de ataque desconocidos. The Zingiri Web Shop plugin for WordPress has multiple vulnerabilities in versions up to, and including, 2.3.7. This is due to the inclusion of timthumb.php, along with several cross-site scripting and SQL injection vulnerabilities. This makes it possible for unauthenticated attackers to access and altar data, and create administrator-level accounts. • http://forums.zingiri.com/announcements.php?aid=2 http://secunia.com/advisories/48909 http://wordpress.org/extend/plugins/zingiri-web-shop/changelog https://exchange.xforce.ibmcloud.com/vulnerabilities/75044 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.8EPSS: 2%CPEs: 7EXPL: 1CVE-2012-0934 – Theme Tuner < 0.8 - Remote File Inclusion
https://notcve.org/view.php?id=CVE-2012-0934
PHP remote file inclusion vulnerability in ajax/savetag.php in the Theme Tuner plugin for WordPress before 0.8 allows remote attackers to execute arbitrary PHP code via a URL in the tt-abspath parameter. Una vulnerabilidad de inclusión de archivo PHP remoto en ajax/savetag.php en el plugin 'Theme Tuner' para Wordpress antes de v0.8 permite a atacantes remotos ejecutar código PHP de su elección a través de una URL en el parámetro TT-abspath. • http://plugins.trac.wordpress.org/changeset/492167/theme-tuner#file2 http://secunia.com/advisories/47722 http://spareclockcycles.org/2011/09/18/exploitring-the-wordpress-extension-repos http://wordpress.org/extend/plugins/theme-tuner/changelog http://www.securityfocus.com/bid/51636 https://exchange.xforce.ibmcloud.com/vulnerabilities/72626 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •