CVSS: 6.4EPSS: 8%CPEs: 1EXPL: 0CVE-2017-6818 – WordPress Core < 4.7.3 - Cross-Site Scripting via Taxonomy names
https://notcve.org/view.php?id=CVE-2017-6818
06 Mar 2017 — In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names. En WordPress en versiones anteriores a 4.7.3 (wp-admin/js/tags-box.js), hay secuencias de comandos de sitios cruzados (XSS) a través de nombres de términos de taxonomía. • http://www.securityfocus.com/bid/96601 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 5%CPEs: 3EXPL: 0CVE-2017-6815 – WordPress Core < 4.7.3 - Bypass URL Validation
https://notcve.org/view.php?id=CVE-2017-6815
06 Mar 2017 — In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation. En WordPress en versiones anteriores a 4.7.3 (wp-includes/pluggable.php), los caracteres de control pueden trucar la validación de la URL de direccionamiento. • http://www.debian.org/security/2017/dsa-3815 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 9%CPEs: 1EXPL: 2CVE-2017-6819 – WordPress Core < 4.7.3 - Cross-Site Request Forgery via Press This
https://notcve.org/view.php?id=CVE-2017-6819
06 Mar 2017 — In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This. En WordPress en versiones anteriores a 4.7.3, hay CSRF en Press This (wp-admin/includes/class-wp-press-this.php), lo que conduce a un uso excesivo de recursos del servidor. El CSRF puede desencadenar una solicitud HTTP de salida para un ar... • http://openwall.com/lists/oss-security/2017/03/06/7 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 2%CPEs: 3EXPL: 0CVE-2017-6816 – WordPress Core < 4.7.3 - Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2017-6816
06 Mar 2017 — In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality. En WordPress en versiones anteriores a 4.7.3 (wp-admin/plugins.php), los archivos no deseados pueden ser eliminados por los administradores utilizando la funcionalidad del plugin deletion. • http://www.debian.org/security/2017/dsa-3815 • CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 2%CPEs: 3EXPL: 2CVE-2017-6814 – WordPress Core < 4.7.3 - Cross-Site Scripting via Media Metadata
https://notcve.org/view.php?id=CVE-2017-6814
06 Mar 2017 — In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2) mishandling of meta information in the renderTracks function in wp-includes/js/mediaelement/wp-playlist.js. En WordPress en versiones anteriores a 4.7.3, hay XSS autenticada a través de Media File Metadata. Esto es demostrado tanto por (1) mal manejo de la playlist sh... • http://openwall.com/lists/oss-security/2017/03/06/8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 4%CPEs: 3EXPL: 0CVE-2017-6817 – WordPress Core < 4.7.3 - Authenticated Cross-Site Scripting in Youtube URL Embeds
https://notcve.org/view.php?id=CVE-2017-6817
06 Mar 2017 — In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds. En WordPress en versiones anteriores a 4.7.3 (wp-includes/embed.php), hay secuencias de comandos en sitios cruzados (XSS) autenticada en URLs incrustadas de YouTube . • http://www.debian.org/security/2017/dsa-3815 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 80%CPEs: 3EXPL: 0CVE-2017-1001000 – WordPress Core < 4.7.2 - Arbitrary Page Modification
https://notcve.org/view.php?id=CVE-2017-1001000
26 Jan 2017 — The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI. La función register_routes en wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php en la API REST... • http://www.openwall.com/lists/oss-security/2017/02/10/16 • CWE-285: Improper Authorization •
CVSS: 5.3EPSS: 1%CPEs: 1EXPL: 0CVE-2017-6514 – WordPress Core < 4.7.2 - Path Disclosure
https://notcve.org/view.php?id=CVE-2017-6514
01 Jan 2017 — WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring. WordPress 4.7.2 maneja de manera inapropiada los listados de los autores de las publicaciones, esto permite a los atacantes remotos obtener información confidencial (Path Disclosure) mediante un /wp-json/oembed/1.0/embed?url= request, relacionada con la subcadena "author_name": ". • http://www.securityfocus.com/bid/108459 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-6707 – WordPress Core - Informational < 6.8 - Weak Hashing Algorithm
https://notcve.org/view.php?id=CVE-2012-6707
20 Jun 2012 — WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress wi... • https://core.trac.wordpress.org/ticket/21022 • CWE-261: Weak Encoding for Password CWE-326: Inadequate Encryption Strength •