NotCVE - vendor:"WordPress Foundation" product:"WordPress" version:" >= 4.5.0 <= 4.5.26"

Page 12 of 130 results (0.009 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2017-5492 – WordPress Core < 4.7.1 - Cross-Site Request Forgery via Widget Editing

https://notcve.org/view.php?id=CVE-2017-5492

11 Jan 2017 — Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php. Vulnerabilidad de CSRF en la funcionalidad de modo de accesibilidad de edición de widget en WordPress en versiones anteriores a 4.7.1 permite a atacantes remotos secuestrar la autenticaci... • http://www.debian.org/security/2017/dsa-3779 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0

CVE-2017-5493 – WordPress Core < 4.7.1 - Weak Multi-Site Activation Key for User and Site Signup

https://notcve.org/view.php?id=CVE-2017-5493

11 Jan 2017 — wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup. wp-includes/ms-functions.php en la API Multisite WordPress en WordPress en versiones anteriores a 4.7.1 no elige adecuadamente los números aleatorios para claves, lo que hace que más fácil para atacantes remotos eludir las restricciones destina... • http://www.debian.org/security/2017/dsa-3779 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •

CVSS: 9.8EPSS: 93%CPEs: 3EXPL: 11

CVE-2016-10045 – PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution

https://notcve.org/view.php?id=CVE-2016-10045

28 Dec 2016 — The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033. El transporte isMail en PHPMailer en versiones anteriores a 5.2.20 podrían permitir a atacantes remotos pasar parámetros extra al comando ... • https://packetstorm.news/files/id/140286 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVSS: 9.8EPSS: 94%CPEs: 3EXPL: 38

CVE-2016-10033 – WordPress Core 4.6 - Remote Code Execution

https://notcve.org/view.php?id=CVE-2016-10033

26 Dec 2016 — The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property. La función mailSend en el transporte isMail en PHPMailer en versiones anteriores a 5.2.18 podrían permitir a atacantes remotos pasar parámetros extra al comando mail y consecuentemente ejecutar código arbitrario a través de una \" (barra invertida comillas dobl... • https://packetstorm.news/files/id/142486 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2016-7168 – WordPress Core < 4.6.1 - Authenticated Stored Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2016-7168

07 Sep 2016 — Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename. Vulnerabilidad de XSS en la función media_handle_upload en wp-admin/includes/media.php en WordPress en versiones anteriores a 4.6.1 podría permitir a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios ... • http://www.debian.org/security/2016/dsa-3681 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 3%CPEs: 1EXPL: 0

CVE-2016-7169 – WordPress Core < 4.6.1 - Authenticated Directory Traversal to Arbitrary File Access

https://notcve.org/view.php?id=CVE-2016-7169

07 Sep 2016 — Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter. Vulnerabilidad de salto de directorio en la clase File_Upload_Upgrader en wp-admin/includes/class-file-upload-upgrader.php en el cargador del paquete de actualización en WordPress en versiones anteriores a 4.6.1 permite a usuarios remotos ... • http://www.debian.org/security/2016/dsa-3681 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 7.1EPSS: 24%CPEs: 1EXPL: 2

CVE-2016-6896 – WordPress Core <= 4.5.3 - Denial of Service

https://notcve.org/view.php?id=CVE-2016-6896

22 Aug 2016 — Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool. Vulnerabilidad de salto de directorio en la función wp_ajax_update_plugin en wp-admin/includes/ajax-actions.php en WordPress 4.5.3 permite a usu... • https://www.exploit-db.com/exploits/40288 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-400: Uncontrolled Resource Consumption •

CVSS: 8.8EPSS: 30%CPEs: 1EXPL: 2

CVE-2016-6897 – WordPress Core < 4.6 - Cross-Site Request Forgery

https://notcve.org/view.php?id=CVE-2016-6897

16 Aug 2016 — Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896. Vulnerabilidad de CSRF en la función wp_ajax_update_plugin en wp-admin/includes/ajax-actions.php en WordPress en versiones anteriores a 4.6 permite a atacantes remotos ... • https://packetstorm.news/files/id/180504 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2016-10148 – WordPress Core < 4.6 - Authorization Bypass

https://notcve.org/view.php?id=CVE-2016-10148

16 Aug 2016 — The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896. La función wp_ajax_update_plugin en wp-admin/includes/ajax-actions.php en WordPress en versiones anteriores a 4.6 hace una llamada get_plugin_data antes de comprobar la... • http://www.openwall.com/lists/oss-security/2016/08/20/1 • CWE-254: 7PK - Security Features CWE-284: Improper Access Control CWE-862: Missing Authorization •

CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0

CVE-2016-5832 – WordPress Core < 4.5.3 - Cross-Site Scripting via Customizer

https://notcve.org/view.php?id=CVE-2016-5832

18 Jun 2016 — The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors. El customizador en WordPress en versiones anteriores a 4.5.3 permite a atacantes remotos eludir las restricciones destinadas a la redirección a través de vectores no especificados. Several vulnerabilities were discovered in wordpress, a web blogging tool, which could allow remote attackers to compromise a site via cross-site scripting, bypass restrictions, obtain sensitive re... • http://www.debian.org/security/2016/dsa-3639 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

1...10 11 12 13