Page 15 of 148 results (0.009 seconds)

CVSS: 7.5EPSS: 29%CPEs: 1EXPL: 15

In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times. En WordPress hasta la versión 4.9.2, los atacantes no autenticados puede provocar una denegación de servicio (consumo de recursos) utilizando una lista grande de archivos .js registrados (de wp-includes/script-loader.php) para construir una serie de peticiones para cargar cada archivo muchas veces. In WordPress before 5.0, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times. It looks like most of the slowness was due to forcing PHP to repeatedly compress the output scripts, which was addressed in 5.0. WordPress Core suffers from a load-scripts.php denial of service vulnerability. • https://www.exploit-db.com/exploits/43968 https://github.com/safebuffer/CVE-2018-6389 https://github.com/knqyf263/CVE-2018-6389 https://github.com/armaanpathan12345/WP-DOS-Exploit-CVE-2018-6389 https://github.com/thechrono13/PoC---CVE-2018-6389 https://github.com/ianxtianxt/CVE-2018-6389 https://github.com/dsfau/wordpress-CVE-2018-6389 https://github.com/amit-pathak009/CVE-2018-6389-FIX https://github.com/Jetserver/CVE-2018-6389-FIX https://github.com/mudhappy/Wordpre • CWE-400: Uncontrolled Resource Consumption •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). WordPress en versiones anteriores a la 4.9.2 tiene XSS en los archivos Flash de reserva en MediaElement (en wp-includes/js/mediaelement). • https://codex.wordpress.org/Version_4.9.2 https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850 https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/9006 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0

wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file. wp-includes/functions.php en WordPress en versiones anteriores a la 4.9.1 no necesita la capacidad de unfiltered_html para subir archivos .js, lo que puede permitir que los atacantes remotos realicen ataques Cross-Site Scripting (XSS) mediante un archivo manipulado. • http://www.securityfocus.com/bid/102024 https://codex.wordpress.org/Version_4.9.1 https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509 https://lists.debian.org/debian-lts-announce/2017/12/msg00019.html https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8966 https://www.debian.org/security/2018/dsa-4090 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string. wp-admin/user-new.php en WordPress en versiones anteriores a la 4.9.1 establece la clave newbloguser a una cadena que se puede derivar directamente del ID de usuario, lo que permite que los atacantes remotos omitan las restricciones de acceso planeadas introduciendo esta cadena. • http://www.securityfocus.com/bid/102024 https://codex.wordpress.org/Version_4.9.1 https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c https://lists.debian.org/debian-lts-announce/2017/12/msg00019.html https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8969 https://www.debian.org/security/2018/dsa-4090 • CWE-285: Improper Authorization CWE-330: Use of Insufficiently Random Values •

CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0

wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL. wp-includes/feed.php en WordPress en versiones anteriores a la 4.9.1 no restringe contenedores en los campos RSS y Atom, lo que puede permitir que los atacantes realicen ataques Cross-Site Scripting (XSS) mediante una URL manipulada. • http://www.securityfocus.com/bid/102024 https://codex.wordpress.org/Version_4.9.1 https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de https://lists.debian.org/debian-lts-announce/2017/12/msg00019.html https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8967 https://www.debian.org/security/2018/dsa-4090 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •