CVSS: 6.4EPSS: 0%CPEs: 77EXPL: 0CVE-2013-2205 – WordPress Core < 3.5.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-2205
21 Jun 2013 — The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site. La configuración por defecto en SWFUpload en WordPress anterior a v3.5.2 tiene una configuración security.allowDomain no restrictiva, permitiendo a atacantes remotos eludir el "Same Origin Policy" y llevar a cabo ataques cross-site scripting (XSS) a través de un... • http://codex.wordpress.org/Version_3.5.2 • CWE-16: Configuration CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 81EXPL: 2CVE-2013-3720 – Feedweb < 1.9 - Authenticated (Admin+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-3720
03 Apr 2013 — Cross-site scripting (XSS) vulnerability in widget_remove.php in the Feedweb plugin before 1.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wp_post_id parameter. Vulnerabilidad de ejecuciónd de secuencias de comandos en sitios cruzados (XSS) en widget_remove.php en el complemento Feedweb anterior a v1.9 para WordPress permite a administradores autenticados a inyectar secuencias de comandos Web o HTML a través del parámetro wp_post_id. The Feedweb pl... • http://plugins.trac.wordpress.org/changeset?old_path=%2Ffeedweb&old=689612&new_path=%2Ffeedweb&new=689612 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 58%CPEs: 76EXPL: 2CVE-2013-0235 – WordPress Core < 3.5.1 - Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2013-0235
24 Jan 2013 — The XMLRPC API in WordPress before 3.5.1 allows remote attackers to send HTTP requests to intranet servers, and conduct port-scanning attacks, by specifying a crafted source URL for a pingback, related to a Server-Side Request Forgery (SSRF) issue. La API XMLRPC en WordPress anteriores a v3.5.1 permite a a atacantes remotos a enviar peticiones HTTP a servidores de la intranet, y conducir ataques de escaneo de puertos, especificando una URL origen manipulada en la respuesta a un ping, relacionado con una fal... • https://packetstorm.news/files/id/181085 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.4EPSS: 0%CPEs: 89EXPL: 1CVE-2013-0237 – WordPress Core < 3.5.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-0237
24 Jan 2013 — Cross-site scripting (XSS) vulnerability in Plupload.as in Moxiecode plupload before 1.5.5, as used in WordPress before 3.5.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the id parameter. Vulnerabilidad de ejecución de comandos en sitios cruzados en Plupload.as en Moxiecode Plupload anteriores a v1.5.5, como el usado en WordPress anteriores a v3.5.1 y otros productos, permiten a atacantes remotos inyectar comandos web o HTML a través del parámetro id. • http://codex.wordpress.org/Version_3.5.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 76EXPL: 1CVE-2013-0236 – WordPress Core < 3.5.1 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-0236
24 Jan 2013 — Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) gallery shortcodes or (2) the content of a post. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en WordPress anteriores a v3.5.1 permite a atacantes remotos a inyectar comandos web o HTML a través de vectores que implican (1) códigos cortos de la galería o (2) contenido de un post. • http://codex.wordpress.org/Version_3.5.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 4%CPEs: 23EXPL: 4CVE-2012-3414 – SWFUpload <= 2.2.0.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-3414
09 Nov 2012 — Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the "ExternalInterface.call" function. Vulnerabilidad XSS (cross-site scripting) en swfupload.swf en SWFUpload v2.2.0.10 y anteriores, tal y como se utilizaba en Wordpress anterior a v3.3.2, TinyMCE Image Manager v1.1, y otros producto... • https://www.exploit-db.com/exploits/37470 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 88EXPL: 1CVE-2012-4422 – WordPress Core < 3.4.2 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2012-4422
06 Sep 2012 — wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated users to make unintended plugin changes by leveraging the Administrator role. wp-admin/plugins.php en WordPress anterior a v3.4.2, cuando la característica multisitio está activada, no comprueba los privilegios de administrador de red antes de llevar a cabo la activ... • http://codex.wordpress.org/Version_3.4.2 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 6.3EPSS: 0%CPEs: 87EXPL: 1CVE-2012-4421 – WordPress Core < 3.4.2 - Missing Authorization Checks on create_post
https://notcve.org/view.php?id=CVE-2012-4421
06 Sep 2012 — The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature. La función create_post en wp-includes/class-wp-atom-server.php en WordPress antes de v3.4.2 no realiza determinadas comprobaciones, lo que permite a usuarios remotos autenticados eludir ... • http://codex.wordpress.org/Version_3.4.2 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 55EXPL: 0CVE-2011-5128 – Adminimize < 1.7.22 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-5128
29 Aug 2012 — Multiple cross-site scripting (XSS) vulnerabilities in the Adminimize plugin before 1.7.22 for WordPress allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) inc-options/deinstall_options.php, (2) inc-options/theme_options.php, or (3) inc-options/im_export_options.php, or the (4) post or (5) post_ID parameters to adminimize.php, different vectors than CVE-2011-4926. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS)en el plugin a... • http://plugins.trac.wordpress.org/changeset?reponame=&new=467338%40adminimize&old=466900%40adminimize#file5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 3%CPEs: 55EXPL: 2CVE-2011-4926 – Adminimize <= 1.7.21 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-4926
29 Aug 2012 — Cross-site scripting (XSS) vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS)en adminimize/adminimize_page.php en el plugin anterior a v1.7.22 para WordPress permite a atacantes remotos inyectar código web o HTML a través del parámetro page. • https://www.exploit-db.com/exploits/36325 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •