CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2015-5623 – WordPress Core < 4.2.3 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2015-5623
23 Jul 2015 — WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php. Vulnerabilidad en WordPress en versiones anteriores a 4.2.3, no verifica adecuadamente la capacidad de edit_posts, lo que permite a usuarios remotos autenticados eludir las restricciones destinadas al acceso y crear borradores mediant... • http://codex.wordpress.org/Version_4.2.3 • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2015-8834 – WordPress Core < 4.2.2 - Cross-Site Scripting via Comments
https://notcve.org/view.php?id=CVE-2015-8834
07 May 2015 — Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3440. Vulnerabilidad de XSS en wp-includes/wp-db.php en WordPress en versiones anteriores a 4.2.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a tra... • http://www.debian.org/security/2016/dsa-3639 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 64%CPEs: 3EXPL: 4CVE-2015-3440 – WordPress Core < 4.2.1 - Cross-Site Scripting via Comments
https://notcve.org/view.php?id=CVE-2015-3440
27 Apr 2015 — Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. Vulnerabilidad de XSS en wp-includes/wp-db.php en WordPress en versiones anteriores a 4.2.1, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un comentario largo que es almacenado indebidamente a causa de las limit... • https://www.exploit-db.com/exploits/36844 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 1%CPEs: 3EXPL: 1CVE-2015-3438 – WordPress Core < 4.1.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-3438
21 Apr 2015 — Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 4.1.2, when MySQL is used without strict mode, allow remote attackers to inject arbitrary web script or HTML via a (1) four-byte UTF-8 character or (2) invalid character that reaches the database layer, as demonstrated by a crafted character in a comment. Múltiples vulnerabilidades de XSS en WordPress en versiones anteriores a 4.1.2 cuando se utiliza MySQL sin modo estricto, permite a atacantes remotos inyectar secuencias de comandos we... • http://codex.wordpress.org/Version_4.1.2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 10EXPL: 3CVE-2015-3439 – WordPress Core < 4.1.2 - Cross-Site Scripting via Ephox in Plupload
https://notcve.org/view.php?id=CVE-2015-3439
20 Apr 2015 — Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as. Vulnerabilidad de XSS en el shim Ephox (anteriormente Moxiecode) plupload.flash.swf 2.1.2 en Plupload, tal como se utiliza en Wo... • http://codex.wordpress.org/Version_4.1.2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 4CVE-2015-3429 – Twenty Fifteen Theme <= 1.1 & WordPress Core < 4.2.2 - Cross-Site Scripting via example.html
https://notcve.org/view.php?id=CVE-2015-3429
08 Apr 2015 — Cross-site scripting (XSS) vulnerability in example.html in Genericons before 3.3.1, as used in WordPress before 4.2.2, allows remote attackers to inject arbitrary web script or HTML via a fragment identifier. Vulnerabilidad de XSS en example.html en Genericons anterior a 3.3.1, utilizado en WordPress anterior a 4.2.2, permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través de un identificador de fragmentos. The security update for wordpress in DSA 3328 contained a regres... • https://packetstorm.news/files/id/131802 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 1%CPEs: 1EXPL: 0CVE-2014-6412 – WordPress Core < 4.4 - Brute Force Password Recovery Tokens
https://notcve.org/view.php?id=CVE-2014-6412
12 Feb 2015 — WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach. Las versiones anteriores a la 4.4 de WordPress facilitan que atacantes remotos puedan predecir tokens password-recovery mediante un ataque de fuerza bruta. All versions of WordPress fail to implement a cryptographically secure pseudorandom number generator. • http://packetstormsecurity.com/files/130380/WordPress-Failed-Randomness.html • CWE-261: Weak Encoding for Password CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 9.8EPSS: 0%CPEs: 14EXPL: 0CVE-2014-9037 – Wordpress Core < 4.0.1 - Hash Collision
https://notcve.org/view.php?id=CVE-2014-9037
20 Nov 2014 — WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to obtain access to an account idle since 2008 by leveraging an improper PHP dynamic type comparison for an MD5 hash. WordPress anterior a 3.7.5, 3.8.x anterior a 3.8.5, 3.9.x anterior a 3.9.3, y 4.x anterior a 4.0.1 podría permitir a atacantes remotos obtener el acceso a una cuenta ociosa desde el 2008 mediante el aprovechamiento de una comparación indebida del tipo dinámico de PHP para un hash... • http://advisories.mageia.org/MGASA-2014-0493.html • CWE-310: Cryptographic Issues CWE-916: Use of Password Hash With Insufficient Computational Effort •
CVSS: 6.4EPSS: 0%CPEs: 12EXPL: 0CVE-2014-9035 – WordPress Core < 4.0.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-9035
20 Nov 2014 — Cross-site scripting (XSS) vulnerability in Press This in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en Press This en WordPress anterior a 3.7.5, 3.8.x anterior a 3.8.5, 3.9.x anterior a 3.9.3, y 4.x anterior a 4.0.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. Multiple security iss... • http://advisories.mageia.org/MGASA-2014-0493.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 12EXPL: 0CVE-2014-9036 – WordPress Core < 4.0.1 - Cross-Site Scripting via CSS
https://notcve.org/view.php?id=CVE-2014-9036
20 Nov 2014 — Cross-site scripting (XSS) vulnerability in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted Cascading Style Sheets (CSS) token sequence in a post. Vulnerabilidad de XSS en WordPress anterior a 3.7.5, 3.8.x anterior a 3.8.5, 3.9.x anterior a 3.9.3, y 4.x anterior a 4.0.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una secuencia manipulada de toke... • http://advisories.mageia.org/MGASA-2014-0493.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •