Page 12 of 193 results (0.015 seconds)

CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0

Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. En versiones anteriores a la 4.9.5 de WordPress, la cadena de versión no se escapó en la función get_the_generator, lo que podría conducir a Cross-Site Scripting (XSS) en una etiqueta generator. • http://www.securityfocus.com/bid/103775 http://www.securitytracker.com/id/1040836 https://codex.wordpress.org/Version_4.9.5 https://core.trac.wordpress.org/changeset/42893 https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d https://lists.debian.org/debian-lts-announce/2018/04/msg00031.html https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/9055 https://www.debian.org/security/2018/dsa-4193 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0

Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. En versiones anteriores a la 4.9.5 de WordPress, la URL de redirección para la página de inicio de sesión no se validó o saneó si se forzó el uso de HTTPS. • http://www.securitytracker.com/id/1040836 https://codex.wordpress.org/Version_4.9.5 https://core.trac.wordpress.org/changeset/42892 https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e https://lists.debian.org/debian-lts-announce/2018/04/msg00031.html https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/9054 https://www.debian.org/security/2018/dsa-4193 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 7.5EPSS: 29%CPEs: 1EXPL: 15

In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times. En WordPress hasta la versión 4.9.2, los atacantes no autenticados puede provocar una denegación de servicio (consumo de recursos) utilizando una lista grande de archivos .js registrados (de wp-includes/script-loader.php) para construir una serie de peticiones para cargar cada archivo muchas veces. In WordPress before 5.0, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times. It looks like most of the slowness was due to forcing PHP to repeatedly compress the output scripts, which was addressed in 5.0. WordPress Core suffers from a load-scripts.php denial of service vulnerability. • https://www.exploit-db.com/exploits/43968 https://github.com/safebuffer/CVE-2018-6389 https://github.com/knqyf263/CVE-2018-6389 https://github.com/armaanpathan12345/WP-DOS-Exploit-CVE-2018-6389 https://github.com/thechrono13/PoC---CVE-2018-6389 https://github.com/ianxtianxt/CVE-2018-6389 https://github.com/dsfau/wordpress-CVE-2018-6389 https://github.com/amit-pathak009/CVE-2018-6389-FIX https://github.com/Jetserver/CVE-2018-6389-FIX https://github.com/mudhappy/Wordpre • CWE-400: Uncontrolled Resource Consumption •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). WordPress en versiones anteriores a la 4.9.2 tiene XSS en los archivos Flash de reserva en MediaElement (en wp-includes/js/mediaelement). • https://codex.wordpress.org/Version_4.9.2 https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850 https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/9006 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0

wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file. wp-includes/functions.php en WordPress en versiones anteriores a la 4.9.1 no necesita la capacidad de unfiltered_html para subir archivos .js, lo que puede permitir que los atacantes remotos realicen ataques Cross-Site Scripting (XSS) mediante un archivo manipulado. • http://www.securityfocus.com/bid/102024 https://codex.wordpress.org/Version_4.9.1 https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509 https://lists.debian.org/debian-lts-announce/2017/12/msg00019.html https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8966 https://www.debian.org/security/2018/dsa-4090 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •