CVSS: 4.8EPSS: 0%CPEs: 33EXPL: 0CVE-2014-5240 – WordPress Core < 3.9.2 - Authenticated Cross-Site Scripting via Avatar URL
https://notcve.org/view.php?id=CVE-2014-5240
06 Aug 2014 — Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL. Vulnerabilidad de XSS en wp-includes/pluggable.php en WordPress anterior a 3.9.2, cuando Multisite está habilitado, permite a administradores remotos autenticados inyectar secuencias de comandos web o HTML, y obtener privilegios de super admini... • http://openwall.com/lists/oss-security/2014/08/13/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2014-5204 – WordPress Core < 3.9.2 - Cross-Site Request Forgery Protection Bypass
https://notcve.org/view.php?id=CVE-2014-5204
06 Aug 2014 — wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. wp-includes/pluggable.php en WordPress anterior a 3.9.2 rechaza cadenas de caracteres de un sólo uso CSRF inválidos con diferencias de tiempo dependiendo de qué caracteres en la cadena de caracteres de un sólo uso sean incorrectos, lo que faci... • http://openwall.com/lists/oss-security/2014/08/13/3 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 17%CPEs: 122EXPL: 0CVE-2014-5265 – WordPress Core < 3.9.2 - Denial of Service via XML
https://notcve.org/view.php?id=CVE-2014-5265
06 Aug 2014 — The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. La librería Incutio XML-RPC (IXR), utilizada en WordPress anterior a 3.9.2 y Drupal 6.x anterior a 6.33 y 7.... • http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 89%CPEs: 122EXPL: 1CVE-2014-5266 – WordPress Core < 3.9.2 - Denial of Service via XML #2
https://notcve.org/view.php?id=CVE-2014-5266
06 Aug 2014 — The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265. La libraría Incutio XML-RPC (IXR) , utilizado en WordPress anterior a 3.9.2 y Drupal 6.x anterior a 6.33 y 7.x anterior a 7.31, no limita el número de elementos en un documento XML, lo que per... • https://packetstorm.news/files/id/180506 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 0%CPEs: 98EXPL: 0CVE-2014-0165 – WordPress Core < 3.8.2 - Contributor Users Can Publish Posts
https://notcve.org/view.php?id=CVE-2014-0165
08 Apr 2014 — WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php. WordPress anterior a 3.7.2 y 3.8.x anterior a 3.8.2 permite a usuarios remotos autenticados publicar mensajes mediante el aprovechamiento del rol de Colaborador, relacionado con wp-admin/includes/post.php y wp-admin/includes/class-wp-posts-list-table.php. Multiple vulnerabilities have be... • http://codex.wordpress.org/Version_3.7.2 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •
CVSS: 9.1EPSS: 0%CPEs: 98EXPL: 1CVE-2014-0166 – WordPress Core < 3.8.2 - Authentication Cookie Forgery
https://notcve.org/view.php?id=CVE-2014-0166
08 Apr 2014 — The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. La función wp_validate_auth_cookie en wp-includes/pluggable.php en WordPress anterior a 3.7.2 y 3.8.x anterior a 3.8.2 no determina debidamente la validez de cookies de autenticación, lo que facilita a atacantes remotos obtener acceso a través de u... • https://github.com/Ettack/POC-CVE-2014-0166 • CWE-287: Improper Authentication •
CVSS: 8.8EPSS: 0%CPEs: 11EXPL: 1CVE-2013-7233 – WordPress Core < 2.1 - Cross-Site Request Forgery to Denial of Service
https://notcve.org/view.php?id=CVE-2013-7233
17 Dec 2013 — Cross-site request forgery (CSRF) vulnerability in the retrospam component in wp-admin/options-discussion.php in WordPress 2.0.11 and earlier allows remote attackers to hijack the authentication of administrators for requests that move comments to the moderation list. V ulnerabilidad Cross-site request forgery (CSRF) en el componente retrospam en wp-admin/options-discussion.php en WordPress 2.0.11 y anteriores permite a atacantes remotos secuestrar la autenticación de los administradores de las solicitudes ... • https://www.exploit-db.com/exploits/38924 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.1EPSS: 1%CPEs: 1EXPL: 3CVE-2013-4339 – WordPress Core < 3.6.1 - Open Redirect
https://notcve.org/view.php?id=CVE-2013-4339
11 Sep 2013 — WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string. WordPress anterior a v3.6.1 no valida adecuadamente las URLs antes de su uso en una redirección HTTP, lo que permite a atacantes remotos evitar las restricciones establecidas a las redirecciones a través de una cadena hecha mano. Updated wordpress and php-phpmailer packages fix security vulnerabilities. wp-includes/functions.ph... • https://packetstorm.news/files/id/123589 • CWE-20: Improper Input Validation CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2013-5738 – WordPress Core < 3.6.1 - HTML File Upload
https://notcve.org/view.php?id=CVE-2013-5738
11 Sep 2013 — The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file. La función get_allowed_mime_types en wp-includes/functions.php de WordPress anterior a 3.6.1 no requiere la capacidad unfiltered_html para subidas de ficheros .htm y .html lo cual podría facilitar a usuarios remo... • http://codex.wordpress.org/Version_3.6.1 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2013-5739 – WordPress Core < 3.6.1 - .swf and .exe File Upload
https://notcve.org/view.php?id=CVE-2013-5739
11 Sep 2013 — The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php. La configuración por defecto de Wordpress anteriores a 3.6.1 no previene la carga de archivos .swf y .exe, lo que podría hacer fácil para un usuario remoto autentificado realizar ataques cross-site scripting (X... • http://codex.wordpress.org/Version_3.6.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •