CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2016-5839 – WordPress Core < 4.5.3 - Bypass sanitize_file_name Protection
https://notcve.org/view.php?id=CVE-2016-5839
18 Jun 2016 — WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors. WordPress en versiones anteriores a 4.5.3 permite a atacantes remotos eludir el mecanismo de protección sanitize_file_name a través de vectores no especificados. Several vulnerabilities were discovered in wordpress, a web blogging tool, which could allow remote attackers to compromise a site via cross-site scripting, bypass restrictions, obtain sensitive revision-history information,... • http://www.debian.org/security/2016/dsa-3639 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 6%CPEs: 2EXPL: 0CVE-2016-4566 – WordPress Core < 4.5.2 - Cross-Site Scripting via plupload.flash.swf
https://notcve.org/view.php?id=CVE-2016-4566
06 May 2016 — Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack. Vulnerabilidad de XSS en plupload.flash.swf en Plupload en versiones anteriores a 2.1.9, como se utiliza en WordPress en versiones anteriores a 4.5.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un ataque Same-Origin Method ... • http://www.openwall.com/lists/oss-security/2016/05/07/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 3%CPEs: 2EXPL: 0CVE-2016-4567 – WordPress Core < 4.5.2 - Cross-Site Scripting via MediaElement.js
https://notcve.org/view.php?id=CVE-2016-4567
06 May 2016 — Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn." Vulnerabilidad de XSS en flash/FlashMediaElement.as en MediaElement.js en versiones anteriores a 2.21.0, como se utiliza en WordPress en versiones anteriores a 4.5.2, permite a atacantes remotos inyectar secuencias... • http://www.openwall.com/lists/oss-security/2016/05/07/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6634 – WordPress Core < 4.5 - Cross-Site Scripting via Network Settings Page
https://notcve.org/view.php?id=CVE-2016-6634
12 Apr 2016 — Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en la página de configuración de red en WordPress en versiones anteriores a 4.5 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • http://codex.wordpress.org/Version_4.5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6635 – WordPress Core < 4.5 - Cross-Site Request Forgery via wp_ajax_wp_compression_test
https://notcve.org/view.php?id=CVE-2016-6635
12 Mar 2016 — Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPress before 4.5 allows remote attackers to hijack the authentication of administrators for requests that change the script compression option. Vulnerabilidad de CSRF en la función wp_ajax_wp_compression_test en wp-admin/includes/ajax-actions.php en WordPress en versiones anteriores a 4.5 permite a atacantes remotos secuestrar la autenticación de administradores para petic... • http://codex.wordpress.org/Version_4.5 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.4EPSS: 3%CPEs: 1EXPL: 0CVE-2016-2221 – WordPress Core < 4.4.2 - Open Redirect via wp_validate_redirect
https://notcve.org/view.php?id=CVE-2016-2221
02 Feb 2016 — Open redirect vulnerability in the wp_validate_redirect function in wp-includes/pluggable.php in WordPress before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL that triggers incorrect hostname parsing, as demonstrated by an https:example.com URL. Vulnerabilidad de redirección abierta en la función wp_validate_redirect en wp-includes/pluggable.php en WordPress en versiones anteriores a 4.4.2 permite a atacantes remotos redirigir a los ... • http://www.debian.org/security/2016/dsa-3472 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.6EPSS: 5%CPEs: 1EXPL: 1CVE-2016-2222 – WordPress Core < 4.4.2 - Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2016-2222
02 Feb 2016 — The wp_http_validate_url function in wp-includes/http.php in WordPress before 4.4.2 allows remote attackers to conduct server-side request forgery (SSRF) attacks via a zero value in the first octet of an IPv4 address in the u parameter to wp-admin/press-this.php. La función wp_http_validate_url en wp-includes/http.php en WordPress en versiones anteriores a 4.4.2 permite a atacantes remotos llevar a cabo ataques SSRF a través de un valor cero en el primer octeto de una dirección IPv4 en el parámetro u para w... • http://www.debian.org/security/2016/dsa-3472 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2016-1564 – WordPress Core < 4.4.1 - Cross-Site Scripting via Theme Names
https://notcve.org/view.php?id=CVE-2016-1564
14 Jan 2016 — Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php. Múltiples vulnerabilidades de XSS en wp-includes/class-wp-theme.php en WordPress en versiones anteriores a 4.4.1 permiten a atacantes remotos inyectar comandos de web o HTML arbitrarios a través de (1) nombre de hoja de estilo o (2) nombre de plantilla para wp-adm... • http://twitter.com/brutelogic/statuses/685105483397619713 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 30%CPEs: 1EXPL: 0CVE-2015-5714 – WordPress Core < 4.3.1 - Cross-Site Scripting via Shortcodes
https://notcve.org/view.php?id=CVE-2015-5714
15 Sep 2015 — Cross-site scripting (XSS) vulnerability in WordPress before 4.3.1 allows remote attackers to inject arbitrary web script or HTML by leveraging the mishandling of unclosed HTML elements during processing of shortcode tags. Vulnerabilidad de XSS en WordPress en versiones anteriores a 4.3.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios aprovechando el manejo incorrecto de elementos HTML no cerrados durante el procesamiento de etiquetas acortadas. Several vulnerabilities ha... • http://www.debian.org/security/2015/dsa-3375 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 34%CPEs: 1EXPL: 0CVE-2015-5715 – WordPress Core < 4.3.1 - Authorization Bypass to Information Disclosure
https://notcve.org/view.php?id=CVE-2015-5715
15 Sep 2015 — The mw_editPost function in wp-includes/class-wp-xmlrpc-server.php in the XMLRPC subsystem in WordPress before 4.3.1 allows remote authenticated users to bypass intended access restrictions, and arrange for a private post to be published and sticky, via unspecified vectors. La función mw_editPost en wp-includes/class-wp-xmlrpc-server.php en el subsistema XMLRPC en WordPress en versiones anteriores a 4.3.1 permite a usuarios remotos autenticados eludir las restricciones destinadas al acceso y disponer para u... • http://www.debian.org/security/2015/dsa-3375 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •