CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2017-14722 – WordPress Core < 4.8.2 - Directory Traversal via Customizer
https://notcve.org/view.php?id=CVE-2017-14722
19 Sep 2017 — Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename. Antes de la versión 4.8.2, WordPress permitía un ataque de salto de directorio en el componente Customizer mediante un nombre de tema manipulado. • http://www.securityfocus.com/bid/100912 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 2CVE-2017-14723 – WordPress Core < 4.8.2 - SQL Injection via Mishandled Placeholders
https://notcve.org/view.php?id=CVE-2017-14723
19 Sep 2017 — Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks. Antes de la versión 4.8.2, WordPress no gestionaba correctamente caracteres % y valores de sustitución adicionales en $wpdb->prepare, por lo que no abordaba correctamente la posibilidad de que los plugins o los temas permitiesen los ataques de inyección SQL. • http://www.securityfocus.com/bid/100912 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14725 – WordPress Core < 4.8.2 - Open Redirect in Admin Dashboard
https://notcve.org/view.php?id=CVE-2017-14725
19 Sep 2017 — Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php. Antes de la versión 4.8.2, WordPress era susceptible a un ataque de redirección abierta en wp-admin/edit-tag-form.php y wp-admin/user-edit.php. • http://www.securityfocus.com/bid/100912 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14726 – WordPress Core < 4.8.2 - Cross-Site Scripting via Shortcodes
https://notcve.org/view.php?id=CVE-2017-14726
19 Sep 2017 — Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor. Antes de la versión 4.8.2, WordPress era vulnerable a un ataque de Cross-Site Scripting (XSS) mediante shortcodes en el editor visual TinyMCE. • http://www.securityfocus.com/bid/100912 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-6707 – WordPress Core - Informational - All known Versions - Weak Hashing Algorithm
https://notcve.org/view.php?id=CVE-2012-6707
20 Jun 2012 — WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress wi... • https://core.trac.wordpress.org/ticket/21022 • CWE-261: Weak Encoding for Password CWE-326: Inadequate Encryption Strength •