CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2019-17674 – WordPress Core < 5.2.4 - Authenticated Stored Cross-Site Scripting via Customizer
https://notcve.org/view.php?id=CVE-2019-17674
WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer. WordPress versiones anteriores a 5.2.4, es vulnerable a un ataque de tipo XSS almacenado (cross-site scripting) por medio del Customizer. • https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html https://seclists.org/bugtraq/2020/Jan/8 https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release https://wpvulndb.com/vulnerabilities/9908 https://www.debian.org/security/2020/dsa-4599 https://www.debian.org/security/2020/dsa-4677 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2019-17675 – WordPress Core < 5.2.4 - Type Confusion
https://notcve.org/view.php?id=CVE-2019-17675
WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF. WordPress antes de 5.2.4, no considera apropiadamente la confusión de tipos durante la comprobación del referente en las páginas de administración, conllevando posiblemente a un ataque de tipo CSRF. • https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html https://core.trac.wordpress.org/changeset/46477 https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0 https://lists.debian.org/debian-lts-announce/2019/11/msg00000.html https://seclists.org/bugtraq/2020/Jan/8 https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release https://wpvulndb.com/vulnerabilities/9913 https://www.debian.org/security/2020/dsa-4 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 5.3EPSS: 1%CPEs: 4EXPL: 2CVE-2019-17671 – WordPress Core < 5.2.4 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2019-17671
In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled. En WordPress anterior a 5.2.4, es posible la visualización no autenticada de cierto contenido porque la propiedad de consulta estática es manejada inapropiadamente. • https://www.exploit-db.com/exploits/47690 https://github.com/rhbb/CVE-2019-17671 https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html https://core.trac.wordpress.org/changeset/46474 https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308 https://lists.debian.org/debian-lts-announce/2019/11/msg00000.html https://seclists.org/bugtraq/2020/Jan/8 https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release& • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-285: Improper Authorization •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2019-16217 – WordPress Core < 5.2.3 - Cross-Site Scripting via Media Uploads
https://notcve.org/view.php?id=CVE-2019-16217
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. WordPress versiones anteriores a 5.2.3, permite un ataque de tipo XSS en cargas multimedia porque wp_ajax_upload_attachment es manejado inapropiadamente. • https://core.trac.wordpress.org/changeset/45936 https://lists.debian.org/debian-lts-announce/2019/10/msg00023.html https://seclists.org/bugtraq/2020/Jan/8 https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release https://www.debian.org/security/2020/dsa-4599 https://www.debian.org/security/2020/dsa-4677 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2019-16218 – WordPress Core < 5.2.3 - Stored Cross-Site Scripting via Comments
https://notcve.org/view.php?id=CVE-2019-16218
WordPress before 5.2.3 allows XSS in stored comments. WordPress versiones anteriores a 5.2.3, permite un ataque de tipo XSS en los comentarios almacenados. • https://lists.debian.org/debian-lts-announce/2019/10/msg00023.html https://seclists.org/bugtraq/2020/Jan/8 https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/9861 https://www.debian.org/security/2020/dsa-4599 https://www.debian.org/security/2020/dsa-4677 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •