CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5837 – WordPress Core < 4.5.3 - Authorization Bypass to Remove Category Attribute
https://notcve.org/view.php?id=CVE-2016-5837
18 Jun 2016 — WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors. WordPress en versiones anteriores a 4.5.3 permite a atacantes remotos eludir las restricciones destinadas al acceso y eliminar un atributo de categoría desde un post a través de vectores no especificados. Several vulnerabilities were discovered in wordpress, a web blogging tool, which could allow remote attackers to compromise a site via cross-site script... • http://www.debian.org/security/2016/dsa-3639 • CWE-285: Improper Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5839 – WordPress Core < 4.5.3 - Bypass sanitize_file_name Protection
https://notcve.org/view.php?id=CVE-2016-5839
18 Jun 2016 — WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors. WordPress en versiones anteriores a 4.5.3 permite a atacantes remotos eludir el mecanismo de protección sanitize_file_name a través de vectores no especificados. Several vulnerabilities were discovered in wordpress, a web blogging tool, which could allow remote attackers to compromise a site via cross-site scripting, bypass restrictions, obtain sensitive revision-history information,... • http://www.debian.org/security/2016/dsa-3639 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5832 – WordPress Core < 4.5.3 - Cross-Site Scripting via Customizer
https://notcve.org/view.php?id=CVE-2016-5832
18 Jun 2016 — The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors. El customizador en WordPress en versiones anteriores a 4.5.3 permite a atacantes remotos eludir las restricciones destinadas a la redirección a través de vectores no especificados. Several vulnerabilities were discovered in wordpress, a web blogging tool, which could allow remote attackers to compromise a site via cross-site scripting, bypass restrictions, obtain sensitive re... • http://www.debian.org/security/2016/dsa-3639 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2016-5836 – WordPress Core < 4.5.3 - Denial of Service via oEmbed Protocol
https://notcve.org/view.php?id=CVE-2016-5836
18 Jun 2016 — The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors. El protocolo de implementación de oEmbed en WordPress en versiones anteriores a 4.5.3 permite a atacantes remotos provocar una denegación de servicio a través de vectores no especificados. • http://www.securityfocus.com/bid/91363 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2016-4567 – WordPress Core < 4.5.2 - Cross-Site Scripting via MediaElement.js
https://notcve.org/view.php?id=CVE-2016-4567
06 May 2016 — Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn." Vulnerabilidad de XSS en flash/FlashMediaElement.as en MediaElement.js en versiones anteriores a 2.21.0, como se utiliza en WordPress en versiones anteriores a 4.5.2, permite a atacantes remotos inyectar secuencias... • http://www.openwall.com/lists/oss-security/2016/05/07/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 2EXPL: 0CVE-2016-4566 – WordPress Core < 4.5.2 - Cross-Site Scripting via plupload.flash.swf
https://notcve.org/view.php?id=CVE-2016-4566
06 May 2016 — Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack. Vulnerabilidad de XSS en plupload.flash.swf en Plupload en versiones anteriores a 2.1.9, como se utiliza en WordPress en versiones anteriores a 4.5.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un ataque Same-Origin Method ... • http://www.openwall.com/lists/oss-security/2016/05/07/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6634 – WordPress Core < 4.5 - Cross-Site Scripting via Network Settings Page
https://notcve.org/view.php?id=CVE-2016-6634
12 Apr 2016 — Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en la página de configuración de red en WordPress en versiones anteriores a 4.5 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • http://codex.wordpress.org/Version_4.5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6635 – WordPress Core < 4.5 - Cross-Site Request Forgery via wp_ajax_wp_compression_test
https://notcve.org/view.php?id=CVE-2016-6635
12 Mar 2016 — Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPress before 4.5 allows remote attackers to hijack the authentication of administrators for requests that change the script compression option. Vulnerabilidad de CSRF en la función wp_ajax_wp_compression_test en wp-admin/includes/ajax-actions.php en WordPress en versiones anteriores a 4.5 permite a atacantes remotos secuestrar la autenticación de administradores para petic... • http://codex.wordpress.org/Version_4.5 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2016-2221 – WordPress Core < 4.4.2 - Open Redirect via wp_validate_redirect
https://notcve.org/view.php?id=CVE-2016-2221
02 Feb 2016 — Open redirect vulnerability in the wp_validate_redirect function in wp-includes/pluggable.php in WordPress before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL that triggers incorrect hostname parsing, as demonstrated by an https:example.com URL. Vulnerabilidad de redirección abierta en la función wp_validate_redirect en wp-includes/pluggable.php en WordPress en versiones anteriores a 4.4.2 permite a atacantes remotos redirigir a los ... • http://www.debian.org/security/2016/dsa-3472 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2016-1564 – WordPress Core < 4.4.1 - Cross-Site Scripting via Theme Names
https://notcve.org/view.php?id=CVE-2016-1564
14 Jan 2016 — Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php. Múltiples vulnerabilidades de XSS en wp-includes/class-wp-theme.php en WordPress en versiones anteriores a 4.4.1 permiten a atacantes remotos inyectar comandos de web o HTML arbitrarios a través de (1) nombre de hoja de estilo o (2) nombre de plantilla para wp-adm... • http://twitter.com/brutelogic/statuses/685105483397619713 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •