CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-5776 – WordPress Core < 4.9.2 - Authenticated Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-5776
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). WordPress en versiones anteriores a la 4.9.2 tiene XSS en los archivos Flash de reserva en MediaElement (en wp-includes/js/mediaelement). • https://codex.wordpress.org/Version_4.9.2 https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850 https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/9006 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-17091 – WordPress Core < 4.9.1 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2017-17091
wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string. wp-admin/user-new.php en WordPress en versiones anteriores a la 4.9.1 establece la clave newbloguser a una cadena que se puede derivar directamente del ID de usuario, lo que permite que los atacantes remotos omitan las restricciones de acceso planeadas introduciendo esta cadena. • http://www.securityfocus.com/bid/102024 https://codex.wordpress.org/Version_4.9.1 https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c https://lists.debian.org/debian-lts-announce/2017/12/msg00019.html https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8969 https://www.debian.org/security/2018/dsa-4090 • CWE-285: Improper Authorization CWE-330: Use of Insufficiently Random Values •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2017-17092 – WordPress Core < 4.9.1 - Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-17092
wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file. wp-includes/functions.php en WordPress en versiones anteriores a la 4.9.1 no necesita la capacidad de unfiltered_html para subir archivos .js, lo que puede permitir que los atacantes remotos realicen ataques Cross-Site Scripting (XSS) mediante un archivo manipulado. • http://www.securityfocus.com/bid/102024 https://codex.wordpress.org/Version_4.9.1 https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509 https://lists.debian.org/debian-lts-announce/2017/12/msg00019.html https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8966 https://www.debian.org/security/2018/dsa-4090 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2017-17093 – WordPress Core < 4.9.1- Stored Cross-Site Scripting via Language
https://notcve.org/view.php?id=CVE-2017-17093
wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site. wp-includes/general-template.php en WordPress en versiones anteriores a la 4.9.1 no restringe correctamente el atributo lang de un elemento HTML, lo que puede permitir que los atacantes realicen ataques Cross-Site Scripting (XSS) mediante la configuración de idioma de un sitio web. • http://www.securityfocus.com/bid/102024 https://codex.wordpress.org/Version_4.9.1 https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a https://lists.debian.org/debian-lts-announce/2017/12/msg00019.html https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8968 https://www.debian.org/security/2018/dsa-4090 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2017-17094 – WordPress Core < 4.9.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-17094
wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL. wp-includes/feed.php en WordPress en versiones anteriores a la 4.9.1 no restringe contenedores en los campos RSS y Atom, lo que puede permitir que los atacantes realicen ataques Cross-Site Scripting (XSS) mediante una URL manipulada. • http://www.securityfocus.com/bid/102024 https://codex.wordpress.org/Version_4.9.1 https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de https://lists.debian.org/debian-lts-announce/2017/12/msg00019.html https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8967 https://www.debian.org/security/2018/dsa-4090 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •