CVSS: 6.4EPSS: 8%CPEs: 1EXPL: 0CVE-2017-6818 – WordPress Core < 4.7.3 - Cross-Site Scripting via Taxonomy names
https://notcve.org/view.php?id=CVE-2017-6818
06 Mar 2017 — In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names. En WordPress en versiones anteriores a 4.7.3 (wp-admin/js/tags-box.js), hay secuencias de comandos de sitios cruzados (XSS) a través de nombres de términos de taxonomía. • http://www.securityfocus.com/bid/96601 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 8%CPEs: 1EXPL: 2CVE-2017-6819 – WordPress Core < 4.7.3 - Cross-Site Request Forgery via Press This
https://notcve.org/view.php?id=CVE-2017-6819
06 Mar 2017 — In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This. En WordPress en versiones anteriores a 4.7.3, hay CSRF en Press This (wp-admin/includes/class-wp-press-this.php), lo que conduce a un uso excesivo de recursos del servidor. El CSRF puede desencadenar una solicitud HTTP de salida para un ar... • http://openwall.com/lists/oss-security/2017/03/06/7 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 2%CPEs: 3EXPL: 0CVE-2017-5610 – WordPress Core < 4.7.2 - Authorization Bypass to Term Disclosure
https://notcve.org/view.php?id=CVE-2017-5610
26 Jan 2017 — wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms. wp-admin/includes/class-wp-press-this.php en Press This en WordPress versiones anteriores a 4.7.2 no restringe adecuadamente la visibilidad de una interfaz de usuario de asignación de taxonomía, lo que permite a atacantes remotos eludir las restricciones destinada... • http://www.debian.org/security/2017/dsa-3779 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-285: Improper Authorization •
CVSS: 9.8EPSS: 8%CPEs: 6EXPL: 0CVE-2017-5611 – WordPress Core < 4.7.2 - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2017-5611
26 Jan 2017 — SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name. Vulnerabilidad de inyección SQL en wp-includes/class-wp-query.php en WP_Query en WordPress en versiones anteriores a 4.7.2 permite a atacantes remotos ejecutar comandos SQL arbitrarios aprovechando la presencia de un plugin o tema afectado que no maneja ... • http://www.debian.org/security/2017/dsa-3779 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 1%CPEs: 3EXPL: 0CVE-2017-5612 – WordPress Core < 4.7.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-5612
26 Jan 2017 — Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt. Vulnerabilidad de XSS en wp-admin/includes/class-wp-posts-list-table.php en la tabla de lista de publicaciones en WordPress en versiones anteriores a 4.7.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un extracto manipulado. Several v... • http://www.debian.org/security/2017/dsa-3779 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 92%CPEs: 1EXPL: 14CVE-2017-5487 – WordPress Core < 4.7.1 - Information Disclosure
https://notcve.org/view.php?id=CVE-2017-5487
11 Jan 2017 — wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request. wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php en la implementación REST API en WordPress 4.7 en versiones anteriores a 4.7.1 no restringe adecuadamente los listados de autores de publicación, lo que permite a atacan... • https://packetstorm.news/files/id/141429 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-5488 – WordPress Core < 4.7.1 - Cross-Site Scripting via Name and Version Header of Plugin
https://notcve.org/view.php?id=CVE-2017-5488
11 Jan 2017 — Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) version header of a plugin. Múltiples vulnerabilidades de XSS en wp-admin/update-core.php en WordPress en versiones anteriores a 4.7.1 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del (1) nombre o (2) encabezado de versión de un plugin. Several vulnerabilities were discov... • http://www.debian.org/security/2017/dsa-3779 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-5489 – WordPress Core < 4.7.1 - Cross-Site Request Forgery via Uploading Flash File
https://notcve.org/view.php?id=CVE-2017-5489
11 Jan 2017 — Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload. Vulnerabilidad de CSRF en WordPress en versiones anteriores a 4.7.1 permite a atacantes remotos secuestrar la autenticación de victimas no especificadas a través de vectores que implican una carga de archivo Flash. Several vulnerabilities were discovered in wordpress, a web blogging tool. They would allow remote attac... • http://www.debian.org/security/2017/dsa-3779 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0CVE-2017-5490 – WordPress Core < 4.7.1 - Stored Cross-Site Scripting via theme directory name
https://notcve.org/view.php?id=CVE-2017-5490
11 Jan 2017 — Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme, related to wp-admin/includes/class-theme-installer-skin.php. Vulnerabilidad de XSS en la funcionalidad de retorno de nombre de tema en wp-includes/class-wp-theme.php en WordPress en versiones anteriores a 4.7.1 permite a atacantes remotos inyectar secuencias de coma... • http://www.debian.org/security/2017/dsa-3779 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 1%CPEs: 1EXPL: 0CVE-2017-5491 – WordPress Core < 4.7.1 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2017-5491
11 Jan 2017 — wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name. wp-mail.php en WordPress en versiones anteriores a 4.7.1 podría permitir a atacantes remotos eludir las restricciones de publicación previstas a través de un servidor de correo falsificado con el nombre mail.example.com. Several vulnerabilities were discovered in wordpress, a web blogging tool. They would allow remote attackers to hijack victims... • http://www.debian.org/security/2017/dsa-3779 • CWE-285: Improper Authorization CWE-1188: Initialization of a Resource with an Insecure Default •