CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2017-5493 – WordPress Core < 4.7.1 - Weak Multi-Site Activation Key for User and Site Signup
https://notcve.org/view.php?id=CVE-2017-5493
11 Jan 2017 — wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup. wp-includes/ms-functions.php en la API Multisite WordPress en WordPress en versiones anteriores a 4.7.1 no elige adecuadamente los números aleatorios para claves, lo que hace que más fácil para atacantes remotos eludir las restricciones destina... • http://www.debian.org/security/2017/dsa-3779 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •
CVSS: 5.3EPSS: 92%CPEs: 1EXPL: 15CVE-2017-5487 – WordPress Core < 4.7.1 - Information Disclosure
https://notcve.org/view.php?id=CVE-2017-5487
11 Jan 2017 — wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request. wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php en la implementación REST API en WordPress 4.7 en versiones anteriores a 4.7.1 no restringe adecuadamente los listados de autores de publicación, lo que permite a atacan... • https://packetstorm.news/files/id/141429 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 93%CPEs: 3EXPL: 11CVE-2016-10045 – PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution
https://notcve.org/view.php?id=CVE-2016-10045
28 Dec 2016 — The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033. El transporte isMail en PHPMailer en versiones anteriores a 5.2.20 podrían permitir a atacantes remotos pasar parámetros extra al comando ... • https://packetstorm.news/files/id/140286 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 94%CPEs: 3EXPL: 39CVE-2016-10033 – WordPress Core 4.6 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2016-10033
26 Dec 2016 — The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property. La función mailSend en el transporte isMail en PHPMailer en versiones anteriores a 5.2.18 podrían permitir a atacantes remotos pasar parámetros extra al comando mail y consecuentemente ejecutar código arbitrario a través de una \" (barra invertida comillas dobl... • https://packetstorm.news/files/id/142486 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-6707 – WordPress Core - Informational - All known Versions - Weak Hashing Algorithm
https://notcve.org/view.php?id=CVE-2012-6707
20 Jun 2012 — WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress wi... • https://core.trac.wordpress.org/ticket/21022 • CWE-261: Weak Encoding for Password CWE-326: Inadequate Encryption Strength •