CVE-2007-4483 – Classic <= 1.5 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-4483
Cross-site scripting (XSS) vulnerability in index.php in the WordPress Classic 1.5 theme in WordPress before 2.1.3 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF). Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en index.php del tema WordPress Classic 1.5 para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante el PATH_INFO (PHP_SELF). • http://osvdb.org/38450 http://securityvulns.ru/Rdocument751.html http://websecurity.com.ua/1234 http://www.securityfocus.com/archive/1/477253/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2007-4893 – WordPress Core <= 2.2.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-4893
wp-admin/admin-functions.php in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a does not properly verify the unfiltered_html privilege, which allows remote attackers to conduct cross-site scripting (XSS) attacks via modified data to (1) post.php or (2) page.php with a no_filter field. wp-admin/admin-functions.php de Wordpress versiones anteriores a 2.2.3 y Wordpress multi-user (MU) versiones anteriores a 1.2.5a no verifican apropiadamente el privilegio unfiltered_html, lo cual permite a atacantes remotos conducir ataques de secuencias de comandos en sitios cruzados (XSS) mediante datos modificados en (1) post.php ó (2) page.php con un campo no filtrado. • http://fedoranews.org/updates/FEDORA-2007-214.shtml http://secunia.com/advisories/26771 http://secunia.com/advisories/26796 http://trac.wordpress.org/ticket/4720 http://wordpress.org/development/2007/09/wordpress-223 http://www.securityfocus.com/bid/25639 http://www.vupen.com/english/advisories/2007/3132 https://bugzilla.redhat.com/show_bug.cgi?id=285831 https://exchange.xforce.ibmcloud.com/vulnerabilities/36576 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2007-4154 – WordPress Core <= 2.2.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2007-4154
SQL injection vulnerability in options.php in WordPress 2.2.1 allows remote authenticated administrators to execute arbitrary SQL commands via the page_options parameter to (1) options-general.php, (2) options-writing.php, (3) options-reading.php, (4) options-discussion.php, (5) options-privacy.php, (6) options-permalink.php, (7) options-misc.php, and possibly other unspecified components. Vulnerabilidad de inyección SQL en options.php de WordPress 2.2.1 permite a administradores autenticados remotamente ejecutar comandos SQL de su elección a través del parámetro page_options de (2) options-general.php, (2) options-writing.php, (3) options-reading.php, (4) options-discussion.php, (5) options-privacy.php, (6) options-permalink.php, (7) options-misc.php, y posiblemente otros componentes no especificados. • http://mybeni.rootzilla.de/mybeNi/2007/wordpress_zeroday_vulnerability_roundhouse_kick_and_why_i_nearly_wrote_the_first_blog_worm http://secunia.com/advisories/30013 http://www.debian.org/security/2008/dsa-1564 https://exchange.xforce.ibmcloud.com/vulnerabilities/35719 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2007-4153 – WordPress Core <= 2.2.1 - Authenticated (Admin+) Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-4153
Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.2.1 allow remote authenticated administrators to inject arbitrary web script or HTML via (1) the Options Database Table in the Admin Panel, accessed through options.php; or (2) the opml_url parameter to link-import.php. NOTE: this might not cross privilege boundaries in some configurations, since the Administrator role has the unfiltered_html capability. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en WordPress 2.2.1 permiten a administradores autenticados remotamente inyectar secuencias de comandos web o HTML de su elección a través de (2) la tabla Options de la base de datos en el Panel de Administración, accedida a través de options.php;o (2) el parámetro opml_url de link-import.php. NOTA: esto podría no cruzar fronteras de privilegios en algunas configuraciones, puesto que el rol de Administrador tiene la capacidad unfiltered_html. • http://codex.wordpress.org/Roles_and_Capabilities http://mybeni.rootzilla.de/mybeNi/2007/wordpress_zeroday_vulnerability_roundhouse_kick_and_why_i_nearly_wrote_the_first_blog_worm http://osvdb.org/46994 http://osvdb.org/46995 http://secunia.com/advisories/30013 http://www.debian.org/security/2008/dsa-1564 https://exchange.xforce.ibmcloud.com/vulnerabilities/35720 https://exchange.xforce.ibmcloud.com/vulnerabilities/35722 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2007-4139 – WordPress Core <= 2.2.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-4139
Cross-site scripting (XSS) vulnerability in the Temporary Uploads editing functionality (wp-admin/includes/upload.php) in WordPress 2.2.1, allows remote attackers to inject arbitrary web script or HTML via the style parameter to wp-admin/upload.php. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la funcionalidad de edición Temporary Uploads (wp-admin/includes/upload.php) de WordPress 2.2.1, permite a usuarios remotos inyectar scripts web o HTML de su elección a través del parámetro style en wp-admin/upload.php. • http://mybeni.rootzilla.de/mybeNi/2007/wordpress_zeroday_vulnerability_roundhouse_kick_and_why_i_nearly_wrote_the_first_blog_worm http://osvdb.org/36621 http://secunia.com/advisories/26296 http://trac.wordpress.org/attachment/ticket/4689/4689.diff http://trac.wordpress.org/ticket/4689 http://www.securityfocus.com/bid/25158 http://www.vupen.com/english/advisories/2007/2744 https://exchange.xforce.ibmcloud.com/vulnerabilities/35718 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •