CVSS: 4.8EPSS: 0%CPEs: 33EXPL: 0CVE-2014-5240 – WordPress Core < 3.9.2 - Authenticated Cross-Site Scripting via Avatar URL
https://notcve.org/view.php?id=CVE-2014-5240
06 Aug 2014 — Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL. Vulnerabilidad de XSS en wp-includes/pluggable.php en WordPress anterior a 3.9.2, cuando Multisite está habilitado, permite a administradores remotos autenticados inyectar secuencias de comandos web o HTML, y obtener privilegios de super admini... • http://openwall.com/lists/oss-security/2014/08/13/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 7%CPEs: 122EXPL: 0CVE-2014-5265 – WordPress Core < 3.9.2 - Denial of Service via XML
https://notcve.org/view.php?id=CVE-2014-5265
06 Aug 2014 — The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. La librería Incutio XML-RPC (IXR), utilizada en WordPress anterior a 3.9.2 y Drupal 6.x anterior a 6.33 y 7.... • http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 77%CPEs: 122EXPL: 2CVE-2014-5266 – WordPress Core < 3.9.2 - Denial of Service via XML #2
https://notcve.org/view.php?id=CVE-2014-5266
06 Aug 2014 — The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265. La libraría Incutio XML-RPC (IXR) , utilizado en WordPress anterior a 3.9.2 y Drupal 6.x anterior a 6.33 y 7.x anterior a 7.31, no limita el número de elementos en un documento XML, lo que per... • https://packetstorm.news/files/id/180506 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2014-9033 – WordPress Core < 4.0.1 - Cross-Site Request Forgery to Authentication Takeover
https://notcve.org/view.php?id=CVE-2014-9033
06 Aug 2014 — Cross-site request forgery (CSRF) vulnerability in wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and 4.0 allows remote attackers to hijack the authentication of arbitrary users for requests that reset passwords. Vulnerabilidad de CSRF en wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, y 4.0 permite a atacantes remotos secuestrar la autenticación de usuarios arbitrarios para solicitudes que reconfiguran contraseñas. Multiple security issues have been discovered in Wordpress, a web blogging tool, resulting in... • http://advisories.mageia.org/MGASA-2014-0493.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 98EXPL: 0CVE-2014-0165 – WordPress Core < 3.8.2 - Contributor Users Can Publish Posts
https://notcve.org/view.php?id=CVE-2014-0165
08 Apr 2014 — WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php. WordPress anterior a 3.7.2 y 3.8.x anterior a 3.8.2 permite a usuarios remotos autenticados publicar mensajes mediante el aprovechamiento del rol de Colaborador, relacionado con wp-admin/includes/post.php y wp-admin/includes/class-wp-posts-list-table.php. Multiple vulnerabilities have be... • http://codex.wordpress.org/Version_3.7.2 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •
CVSS: 9.1EPSS: 34%CPEs: 98EXPL: 1CVE-2014-0166 – WordPress Core < 3.8.2 - Authentication Cookie Forgery
https://notcve.org/view.php?id=CVE-2014-0166
08 Apr 2014 — The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. La función wp_validate_auth_cookie en wp-includes/pluggable.php en WordPress anterior a 3.7.2 y 3.8.x anterior a 3.8.2 no determina debidamente la validez de cookies de autenticación, lo que facilita a atacantes remotos obtener acceso a través de u... • https://github.com/Ettack/POC-CVE-2014-0166 • CWE-287: Improper Authentication •
CVSS: 8.8EPSS: 0%CPEs: 11EXPL: 1CVE-2013-7233 – WordPress Core < 2.1 - Cross-Site Request Forgery to Denial of Service
https://notcve.org/view.php?id=CVE-2013-7233
17 Dec 2013 — Cross-site request forgery (CSRF) vulnerability in the retrospam component in wp-admin/options-discussion.php in WordPress 2.0.11 and earlier allows remote attackers to hijack the authentication of administrators for requests that move comments to the moderation list. V ulnerabilidad Cross-site request forgery (CSRF) en el componente retrospam en wp-admin/options-discussion.php en WordPress 2.0.11 y anteriores permite a atacantes remotos secuestrar la autenticación de los administradores de las solicitudes ... • https://www.exploit-db.com/exploits/38924 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 1CVE-2013-4340 – WordPress Core < 3.6.1 - Spoof Post Authorship
https://notcve.org/view.php?id=CVE-2013-4340
11 Sep 2013 — wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter. wp-admin/includes/post.php en WordPress anteriores a 3.6.1 permite a usuarios remotos autentificados falsear la autoría de una entrada aprovechando el rol Author y utilizando un parámetro user_ID modificado. Updated wordpress and php-phpmailer packages fix security vulnerabilities. wp-includes/functions.php in WordP... • http://codex.wordpress.org/Version_3.6.1 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 3CVE-2013-4339 – WordPress Core < 3.6.1 - Open Redirect
https://notcve.org/view.php?id=CVE-2013-4339
11 Sep 2013 — WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string. WordPress anterior a v3.6.1 no valida adecuadamente las URLs antes de su uso en una redirección HTTP, lo que permite a atacantes remotos evitar las restricciones establecidas a las redirecciones a través de una cadena hecha mano. Updated wordpress and php-phpmailer packages fix security vulnerabilities. wp-includes/functions.ph... • https://packetstorm.news/files/id/123589 • CWE-20: Improper Input Validation CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2013-5738 – WordPress Core < 3.6.1 - HTML File Upload
https://notcve.org/view.php?id=CVE-2013-5738
11 Sep 2013 — The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file. La función get_allowed_mime_types en wp-includes/functions.php de WordPress anterior a 3.6.1 no requiere la capacidad unfiltered_html para subidas de ficheros .htm y .html lo cual podría facilitar a usuarios remo... • http://codex.wordpress.org/Version_3.6.1 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •