Page 13 of 131 results (0.006 seconds)

CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0

In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins. En WordPress, en versiones anteriores a la 4.9.9 y versiones 5.x anteriores a la 5.0.1, las URL manipuladas podrían desencadenar Cross-Site Scripting (XSS) para ciertos casos de uso relacionados con los plugins. • http://www.securityfocus.com/bid/106220 https://codex.wordpress.org/Version_4.9.9 https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460 https://lists.debian.org/debian-lts-announce/2019/02/msg00019.html https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release https://wordpress.org/support/wordpress-version/version-5-0-1 https://wpvulndb.com/vulnerabilities/9173 https://www.debian.org/security/2019/dsa-4401 https://www.zdnet.com/article/wordpress- • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS. En WordPress, en versiones anteriores a la 4.9.9 y versiones 5.x anteriores a la 5.0.1, los contribuyentes podrían modificar nuevos comentarios realizados por los usuarios con mayores privilegios, lo que podría provocar Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/106220 https://codex.wordpress.org/Version_4.9.9 https://lists.debian.org/debian-lts-announce/2019/02/msg00019.html https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release https://wordpress.org/support/wordpress-version/version-5-0-1 https://wpvulndb.com/vulnerabilities/9172 https://www.debian.org/security/2019/dsa-4401 https://www.zdnet.com/article/wordpress-plugs-bug-that-led-to-google-indexing-some-user-passwords • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 1

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php. En WordPress, en versiones anteriores a la 4.9.9 y versiones 5.x anteriores a la 5.0.1, los contribuyentes pueden llevar a cabo ataques de inyección de objetos PHP mediante metadatos manipulados en una llamada wp.getMediaItem. Esto viene provocado por la gestión incorrecta de datos serializados en URL phar:// en la función wp_get_attachment_thumb_file en wp-includes/post.php. • http://www.securityfocus.com/bid/106220 https://blog.secarma.co.uk/labs/near-phar-dangerous-unserialization-wherever-you-are https://codex.wordpress.org/Version_4.9.9 https://lists.debian.org/debian-lts-announce/2019/02/msg00019.html https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release https://wordpress.org/support/wordpress-version/version-5-0-1 https://wpvulndb.com/vulnerabilities/9171 https://www.debian.org/security/2019/dsa-4401 https://www.zdnet.com/articl • CWE-502: Deserialization of Untrusted Data •

CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0

In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input. En WordPress, en versiones anteriores a la 4.9.9 y versiones 5.x anteriores a la 5.0.1, los autores podrían omitir las restricciones planeadas sobre los tipos de publicación mediante entradas manipuladas. • http://www.securityfocus.com/bid/106220 https://codex.wordpress.org/Version_4.9.9 https://lists.debian.org/debian-lts-announce/2019/02/msg00019.html https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release https://wordpress.org/support/wordpress-version/version-5-0-1 https://wpvulndb.com/vulnerabilities/9170 https://www.debian.org/security/2019/dsa-4401 https://www.zdnet.com/article/wordpress-plugs-bug-that-led-to-google-indexing-some-user-passwords • CWE-20: Improper Input Validation CWE-285: Improper Authorization •

CVSS: 7.7EPSS: 0%CPEs: 4EXPL: 0

In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files. En WordPress, en versiones anteriores a la 4.9.9 y versiones 5.x anteriores a la 5.0.1, los autores podrían modificar metadatos para omitir las restricciones planeadas de la eliminación de archivos. • http://www.securityfocus.com/bid/106220 https://codex.wordpress.org/Version_4.9.9 https://lists.debian.org/debian-lts-announce/2019/02/msg00019.html https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release https://wordpress.org/support/wordpress-version/version-5-0-1 https://wpvulndb.com/vulnerabilities/9169 https://www.debian.org/security/2019/dsa-4401 https://www.zdnet.com/article/wordpress-plugs-bug-that-led-to-google-indexing-some-user-passwords • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •