CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2014-9033 – WordPress Core < 4.0.1 - Cross-Site Request Forgery to Authentication Takeover
https://notcve.org/view.php?id=CVE-2014-9033
06 Aug 2014 — Cross-site request forgery (CSRF) vulnerability in wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and 4.0 allows remote attackers to hijack the authentication of arbitrary users for requests that reset passwords. Vulnerabilidad de CSRF en wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, y 4.0 permite a atacantes remotos secuestrar la autenticación de usuarios arbitrarios para solicitudes que reconfiguran contraseñas. Multiple security issues have been discovered in Wordpress, a web blogging tool, resulting in... • http://advisories.mageia.org/MGASA-2014-0493.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 4%CPEs: 2EXPL: 0CVE-2014-5203 – WordPress Core < 3.9.2 - Deserialization via Widgets
https://notcve.org/view.php?id=CVE-2014-5203
06 Aug 2014 — wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.9.2 might allow remote attackers to execute arbitrary code via crafted serialized data. wp-includes/class-wp-customize-widgets.php en la implementación widget en WordPress 3.9.x anterior a 3.9.2 podría permitir a atacantes remotos ejecutar código arbitrario a través de datos serializados manipulados. • http://openwall.com/lists/oss-security/2014/08/13/3 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2014-5205 – WordPress Core < 3.9.2 - Brute Force of Cross-Site Request Forgery Tokens
https://notcve.org/view.php?id=CVE-2014-5205
06 Aug 2014 — wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. wp-includes/pluggable.php en WordPress anterior a 3.9.2 no utiliza delimitadores durante la concatenación de los valores de acción y los valores uid en los tokens CSRF, lo que facilita a aqtacantes remotos evadir un mecanismo de protección CSRF a través de un ... • http://openwall.com/lists/oss-security/2014/08/13/3 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 4.8EPSS: 0%CPEs: 33EXPL: 0CVE-2014-5240 – WordPress Core < 3.9.2 - Authenticated Cross-Site Scripting via Avatar URL
https://notcve.org/view.php?id=CVE-2014-5240
06 Aug 2014 — Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL. Vulnerabilidad de XSS en wp-includes/pluggable.php en WordPress anterior a 3.9.2, cuando Multisite está habilitado, permite a administradores remotos autenticados inyectar secuencias de comandos web o HTML, y obtener privilegios de super admini... • http://openwall.com/lists/oss-security/2014/08/13/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2014-5204 – WordPress Core < 3.9.2 - Cross-Site Request Forgery Protection Bypass
https://notcve.org/view.php?id=CVE-2014-5204
06 Aug 2014 — wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. wp-includes/pluggable.php en WordPress anterior a 3.9.2 rechaza cadenas de caracteres de un sólo uso CSRF inválidos con diferencias de tiempo dependiendo de qué caracteres en la cadena de caracteres de un sólo uso sean incorrectos, lo que faci... • http://openwall.com/lists/oss-security/2014/08/13/3 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 17%CPEs: 122EXPL: 0CVE-2014-5265 – WordPress Core < 3.9.2 - Denial of Service via XML
https://notcve.org/view.php?id=CVE-2014-5265
06 Aug 2014 — The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. La librería Incutio XML-RPC (IXR), utilizada en WordPress anterior a 3.9.2 y Drupal 6.x anterior a 6.33 y 7.... • http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 89%CPEs: 122EXPL: 1CVE-2014-5266 – WordPress Core < 3.9.2 - Denial of Service via XML #2
https://notcve.org/view.php?id=CVE-2014-5266
06 Aug 2014 — The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265. La libraría Incutio XML-RPC (IXR) , utilizado en WordPress anterior a 3.9.2 y Drupal 6.x anterior a 6.33 y 7.x anterior a 7.31, no limita el número de elementos en un documento XML, lo que per... • https://packetstorm.news/files/id/180506 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 0%CPEs: 98EXPL: 0CVE-2014-0165 – WordPress Core < 3.8.2 - Contributor Users Can Publish Posts
https://notcve.org/view.php?id=CVE-2014-0165
08 Apr 2014 — WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php. WordPress anterior a 3.7.2 y 3.8.x anterior a 3.8.2 permite a usuarios remotos autenticados publicar mensajes mediante el aprovechamiento del rol de Colaborador, relacionado con wp-admin/includes/post.php y wp-admin/includes/class-wp-posts-list-table.php. Multiple vulnerabilities have be... • http://codex.wordpress.org/Version_3.7.2 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •
CVSS: 9.1EPSS: 0%CPEs: 98EXPL: 1CVE-2014-0166 – WordPress Core < 3.8.2 - Authentication Cookie Forgery
https://notcve.org/view.php?id=CVE-2014-0166
08 Apr 2014 — The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. La función wp_validate_auth_cookie en wp-includes/pluggable.php en WordPress anterior a 3.7.2 y 3.8.x anterior a 3.8.2 no determina debidamente la validez de cookies de autenticación, lo que facilita a atacantes remotos obtener acceso a través de u... • https://github.com/Ettack/POC-CVE-2014-0166 • CWE-287: Improper Authentication •
CVSS: 8.8EPSS: 0%CPEs: 11EXPL: 1CVE-2013-7233 – WordPress Core < 2.1 - Cross-Site Request Forgery to Denial of Service
https://notcve.org/view.php?id=CVE-2013-7233
17 Dec 2013 — Cross-site request forgery (CSRF) vulnerability in the retrospam component in wp-admin/options-discussion.php in WordPress 2.0.11 and earlier allows remote attackers to hijack the authentication of administrators for requests that move comments to the moderation list. V ulnerabilidad Cross-site request forgery (CSRF) en el componente retrospam en wp-admin/options-discussion.php en WordPress 2.0.11 y anteriores permite a atacantes remotos secuestrar la autenticación de los administradores de las solicitudes ... • https://www.exploit-db.com/exploits/38924 • CWE-352: Cross-Site Request Forgery (CSRF) •