Page 10 of 227 results (0.009 seconds)

CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS. En WordPress, en versiones anteriores a la 4.9.9 y versiones 5.x anteriores a la 5.0.1, los contribuyentes podrían modificar nuevos comentarios realizados por los usuarios con mayores privilegios, lo que podría provocar Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/106220 https://codex.wordpress.org/Version_4.9.9 https://lists.debian.org/debian-lts-announce/2019/02/msg00019.html https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release https://wordpress.org/support/wordpress-version/version-5-0-1 https://wpvulndb.com/vulnerabilities/9172 https://www.debian.org/security/2019/dsa-4401 https://www.zdnet.com/article/wordpress-plugs-bug-that-led-to-google-indexing-some-user-passwords • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 1

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php. En WordPress, en versiones anteriores a la 4.9.9 y versiones 5.x anteriores a la 5.0.1, los contribuyentes pueden llevar a cabo ataques de inyección de objetos PHP mediante metadatos manipulados en una llamada wp.getMediaItem. Esto viene provocado por la gestión incorrecta de datos serializados en URL phar:// en la función wp_get_attachment_thumb_file en wp-includes/post.php. • http://www.securityfocus.com/bid/106220 https://blog.secarma.co.uk/labs/near-phar-dangerous-unserialization-wherever-you-are https://codex.wordpress.org/Version_4.9.9 https://lists.debian.org/debian-lts-announce/2019/02/msg00019.html https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release https://wordpress.org/support/wordpress-version/version-5-0-1 https://wpvulndb.com/vulnerabilities/9171 https://www.debian.org/security/2019/dsa-4401 https://www.zdnet.com/articl • CWE-502: Deserialization of Untrusted Data •

CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0

In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input. En WordPress, en versiones anteriores a la 4.9.9 y versiones 5.x anteriores a la 5.0.1, los autores podrían omitir las restricciones planeadas sobre los tipos de publicación mediante entradas manipuladas. • http://www.securityfocus.com/bid/106220 https://codex.wordpress.org/Version_4.9.9 https://lists.debian.org/debian-lts-announce/2019/02/msg00019.html https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release https://wordpress.org/support/wordpress-version/version-5-0-1 https://wpvulndb.com/vulnerabilities/9170 https://www.debian.org/security/2019/dsa-4401 https://www.zdnet.com/article/wordpress-plugs-bug-that-led-to-google-indexing-some-user-passwords • CWE-20: Improper Input Validation CWE-285: Improper Authorization •

CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0

In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data. En WordPress, en versiones anteriores a la 4.9.9 y versiones 5.x anteriores a la 5.0.1, cuando se emplea el servidor HTTP de Apache, los autores podrían subir archivos arbitrarios que omiten las restricciones de tipo MIME planeadas, lo que conduce a Cross-Site Scripting (XSS). Esto queda demostrado por un archivo .jpg sin datos JPEG. • http://www.securityfocus.com/bid/106220 https://codex.wordpress.org/Version_4.9.9 https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a https://lists.debian.org/debian-lts-announce/2019/02/msg00019.html https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release https://wordpress.org/support/wordpress-version/version-5-0-1 https://wpvulndb.com/vulnerabilities/9175 https://www.debian.org/security/2019/dsa-4401 https://www.zdnet.com/article/wordpress- • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0

In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins. En WordPress, en versiones anteriores a la 4.9.9 y versiones 5.x anteriores a la 5.0.1, las URL manipuladas podrían desencadenar Cross-Site Scripting (XSS) para ciertos casos de uso relacionados con los plugins. • http://www.securityfocus.com/bid/106220 https://codex.wordpress.org/Version_4.9.9 https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460 https://lists.debian.org/debian-lts-announce/2019/02/msg00019.html https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release https://wordpress.org/support/wordpress-version/version-5-0-1 https://wpvulndb.com/vulnerabilities/9173 https://www.debian.org/security/2019/dsa-4401 https://www.zdnet.com/article/wordpress- • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •