CVSS: 8.6EPSS: 1%CPEs: 3EXPL: 0CVE-2017-9062 – WordPress Core < 4.7.5 - Mishandling Post Meta Values via XML-RPC
https://notcve.org/view.php?id=CVE-2017-9062
16 May 2017 — In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API. En WordPress anteriores a 4.7.5, existe una manipulación incorrecta de los valores meta-datos al hacer el post en la API XML-RPC. Several vulnerabilities were discovered in wordpress, a web blogging tool. They would allow remote attackers to force password resets, and perform various cross-site scripting and cross-site request forgery attacks. • http://www.debian.org/security/2017/dsa-3870 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-285: Improper Authorization CWE-352: Cross-Site Request Forgery (CSRF) CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.8EPSS: 1%CPEs: 3EXPL: 0CVE-2017-9064 – WordPress Core < 4.7.5 - Cross-Site Request Forgery Filesystem Credential Update
https://notcve.org/view.php?id=CVE-2017-9064
16 May 2017 — In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials. En WordPress antes de 4.7.5, existe una vulnerabilidad de Cross Site Request Forgery (CSRF) en el diálogo de credenciales del sistema de archivos porque no se requiere un nonce para actualizar las credenciales. Several vulnerabilities were discovered in wordpress, a web blogging tool. They would allow remote attackers to force pass... • http://www.debian.org/security/2017/dsa-3870 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-9065 – WordPress Core < 4.7.5 - Authorization Bypass Allowing Post Meta Updates
https://notcve.org/view.php?id=CVE-2017-9065
16 May 2017 — In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API. En WordPress anteriores a 4.7.5, hay una falta de verificaciones de capacidad para el envío de metadatos en la API XML-RPC. Several vulnerabilities were discovered in wordpress, a web blogging tool. They would allow remote attackers to force password resets, and perform various cross-site scripting and cross-site request forgery attacks. • http://www.debian.org/security/2017/dsa-3870 • CWE-20: Improper Input Validation CWE-285: Improper Authorization •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2017-9063 – WordPress Core < 4.7.5 - Cross-Site Scripting via Customizer
https://notcve.org/view.php?id=CVE-2017-9063
16 May 2017 — In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session. En WordPress anteriores a 4.7.5, existe una vulnerabilidad de XSS (cross-site scripting) relacionada con la salida del personalizador, en una sesión de personalización no válida. Several vulnerabilities were discovered in wordpress, a web blogging tool. They would allow remote attackers to force password resets, and perform various cross-site scripting and cross... • http://www.debian.org/security/2017/dsa-3870 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.6EPSS: 0%CPEs: 3EXPL: 0CVE-2017-9066 – WordPress Core < 4.7.5 - Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2017-9066
16 May 2017 — In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF. En WordPress anterior a versión 4.7.5, no hay suficiente validación de redireccionamiento en la clase de HTTP, lo que conlleva a una vulnerabilidad de tipo SSRF. Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform SQL injections and various Cross-Side Scripting (XSS) and Server-Side Request Forgery (SSRF) attacks, as well as bypass some acce... • http://www.securityfocus.com/bid/98509 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.9EPSS: 9%CPEs: 1EXPL: 5CVE-2017-8295 – Wordpress Core < 5.5 - Unauthorized Password Reset via Interception
https://notcve.org/view.php?id=CVE-2017-8295
03 May 2017 — WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function.... • https://www.exploit-db.com/exploits/41963 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2017-6815 – WordPress Core < 4.7.3 - Bypass URL Validation
https://notcve.org/view.php?id=CVE-2017-6815
06 Mar 2017 — In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation. En WordPress en versiones anteriores a 4.7.3 (wp-includes/pluggable.php), los caracteres de control pueden trucar la validación de la URL de direccionamiento. • http://www.debian.org/security/2017/dsa-3815 • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-6816 – WordPress Core < 4.7.3 - Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2017-6816
06 Mar 2017 — In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality. En WordPress en versiones anteriores a 4.7.3 (wp-admin/plugins.php), los archivos no deseados pueden ser eliminados por los administradores utilizando la funcionalidad del plugin deletion. • http://www.debian.org/security/2017/dsa-3815 • CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2017-6817 – WordPress Core < 4.7.3 - Authenticated Cross-Site Scripting in Youtube URL Embeds
https://notcve.org/view.php?id=CVE-2017-6817
06 Mar 2017 — In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds. En WordPress en versiones anteriores a 4.7.3 (wp-includes/embed.php), hay secuencias de comandos en sitios cruzados (XSS) autenticada en URLs incrustadas de YouTube . • http://www.debian.org/security/2017/dsa-3815 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6818 – WordPress Core < 4.7.3 - Cross-Site Scripting via Taxonomy names
https://notcve.org/view.php?id=CVE-2017-6818
06 Mar 2017 — In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names. En WordPress en versiones anteriores a 4.7.3 (wp-admin/js/tags-box.js), hay secuencias de comandos de sitios cruzados (XSS) a través de nombres de términos de taxonomía. • http://www.securityfocus.com/bid/96601 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •