CVSS: 5.3EPSS: 1%CPEs: 4EXPL: 2CVE-2019-17671 – WordPress Core < 5.2.4 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2019-17671
In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled. En WordPress anterior a 5.2.4, es posible la visualización no autenticada de cierto contenido porque la propiedad de consulta estática es manejada inapropiadamente. • https://www.exploit-db.com/exploits/47690 https://github.com/rhbb/CVE-2019-17671 https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html https://core.trac.wordpress.org/changeset/46474 https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308 https://lists.debian.org/debian-lts-announce/2019/11/msg00000.html https://seclists.org/bugtraq/2020/Jan/8 https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release& • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-285: Improper Authorization •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2019-16220 – WordPress Core < 5.2.3 - Open Redirect
https://notcve.org/view.php?id=CVE-2019-16220
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect. En WordPress versiones anteriores a 5.2.3, la comprobación y el saneamiento de una URL en la función wp_validate_redirect en el archivo wp-includes/pluggable.php podría conllevar a un redireccionamiento abierto. In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash. • https://core.trac.wordpress.org/changeset/45971 https://github.com/WordPress/WordPress/commit/c86ee39ff4c1a79b93c967eb88522f5c09614a28 https://lists.debian.org/debian-lts-announce/2019/10/msg00023.html https://seclists.org/bugtraq/2020/Jan/8 https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/9863 https://www.debian.org/security/2020/dsa-4599 https://www.debian.org/security/2020/dsa-4677 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2019-16217 – WordPress Core < 5.2.3 - Cross-Site Scripting via Media Uploads
https://notcve.org/view.php?id=CVE-2019-16217
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. WordPress versiones anteriores a 5.2.3, permite un ataque de tipo XSS en cargas multimedia porque wp_ajax_upload_attachment es manejado inapropiadamente. • https://core.trac.wordpress.org/changeset/45936 https://lists.debian.org/debian-lts-announce/2019/10/msg00023.html https://seclists.org/bugtraq/2020/Jan/8 https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release https://www.debian.org/security/2020/dsa-4599 https://www.debian.org/security/2020/dsa-4677 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 2CVE-2019-16223 – WordPress Core < 5.2.3 - Authenticated Cross-Site Scripting via Post Previews
https://notcve.org/view.php?id=CVE-2019-16223
WordPress before 5.2.3 allows XSS in post previews by authenticated users. WordPress versiones anteriores a 5.2.3, permite un ataque de tipo XSS en las vistas previas de publicaciones por parte de usuarios autenticados. WordPress core versions 5.2.2 and below suffer from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/49338 http://packetstormsecurity.com/files/160745/WordPress-Core-5.2.2-Cross-Site-Scripting.html https://lists.debian.org/debian-lts-announce/2019/10/msg00023.html https://seclists.org/bugtraq/2020/Jan/8 https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/9862 https://www.debian.org/security/2020/dsa-4599 https://www.debian.org/security/2020/dsa-4677 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 3%CPEs: 4EXPL: 0CVE-2019-16219 – WordPress Core < 5.2.3 - Reflected Cross-Site Scripting via Shortcode Previews
https://notcve.org/view.php?id=CVE-2019-16219
WordPress before 5.2.3 allows XSS in shortcode previews. WordPress versiones anteriores a 5.2.3, permite un ataque de tipo XSS en las vistas previas de shortcode. • https://fortiguard.com/zeroday/FG-VD-18-165 https://lists.debian.org/debian-lts-announce/2019/10/msg00023.html https://seclists.org/bugtraq/2020/Jan/8 https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/9864 https://www.debian.org/security/2020/dsa-4599 https://www.debian.org/security/2020/dsa-4677 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •