CVSS: 7.5EPSS: 0%CPEs: 85EXPL: 0CVE-2012-3385 – WordPress Core < 3.4.1 - Information Disclosure
https://notcve.org/view.php?id=CVE-2012-3385
27 Jun 2012 — WordPress before 3.4.1 does not properly restrict access to post contents such as private or draft posts, which allows remote authors or contributors to obtain sensitive information via unknown vectors. WordPress anterior a v3.4.1 no restringe el acceso a publicar contenidos tales como los mensajes privados o proyecto, lo que permite a los autores o colaboradores remotos obtener información sensible a través de vectores desconocidos. • http://codex.wordpress.org/Version_3.4.1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-6707 – WordPress Core - Informational - All known Versions - Weak Hashing Algorithm
https://notcve.org/view.php?id=CVE-2012-6707
20 Jun 2012 — WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress wi... • https://core.trac.wordpress.org/ticket/21022 • CWE-261: Weak Encoding for Password CWE-326: Inadequate Encryption Strength •
CVSS: 8.8EPSS: 0%CPEs: 83EXPL: 3CVE-2012-1936 – WordPress Core 3.3.1 - Multiple Cross-Site Request Forgery Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-1936
03 May 2012 — The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session, which might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on specific actions and objects by sniffing the network, as demonstrated by attacks against the wp-admin/admin-ajax.php and wp-admin/user-new.php scripts. NOTE: the vendor reportedly disputes the significance of this issue because wp_create_nonce operates ... • https://www.exploit-db.com/exploits/18791 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 1%CPEs: 80EXPL: 0CVE-2012-2399 – WordPress Core <= 3.5.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-2399
21 Apr 2012 — Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter, a different vulnerability than CVE-2012-3414. Vulnerabilidad no especificada en wp-includes/js/swfupload/swfupload.swf en WordPress antes de v3.3.2 tiene un impacto y vectores de ataque desconocidos. • http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/swfupload/swfupload.swf?rev=20503 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 80EXPL: 0CVE-2012-2404 – WordPress Core <= 3.3.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-2404
21 Apr 2012 — wp-comments-post.php in WordPress before 3.3.2 supports offsite redirects, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. wp-comments-post.php en WordPress antes de v3.3.2 soporta redirecciones afuera del sitio, lo que hace que facilita a los atacantes remotos a la hora de realizar ataques de ejecuciónde comandos en sitios cruzados (XSS) a través de vectores no especificados. • http://core.trac.wordpress.org/changeset/20486/branches/3.3/wp-comments-post.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 89EXPL: 0CVE-2012-2401 – WordPress Core <= 3.3.1 - Same Origin Policy Bypass
https://notcve.org/view.php?id=CVE-2012-2401
20 Apr 2012 — Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content. Plupload antes de v1.5.4, tal y como se utiliza en wp-includes/js/plupload/ en WordPress antes de v3.3.2 y otros productos, permite ejecutar secuencias de comandos, independientemente del dominio desde el que se cargó el contenido SWF, lo qu... • http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/plupload/changelog.txt?rev=20487 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 80EXPL: 0CVE-2012-2402 – WordPress Core < 3.3.2 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2012-2402
20 Apr 2012 — wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and deactivate network-wide plugins via unspecified vectors. wp-admin/plugins.php en WordPress antes de v3.3.2 permite eludir restricciones de acceso a los administradores autenticados del sitio y desactivar plugins de red a través de vectores no especificados. • http://core.trac.wordpress.org/changeset/20526/branches/3.3/wp-admin/plugins.php • CWE-264: Permissions, Privileges, and Access Controls CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 0%CPEs: 80EXPL: 0CVE-2012-2400 – WordPress Core < 3.3.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-2400
20 Apr 2012 — Unspecified vulnerability in wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown impact and attack vectors. Vulnerabilidad no especificada en wp-includes/js/swfobject.js en WordPress antes de v3.3.2 tiene un impacto y vectores de ataque desconocidos. • http://core.trac.wordpress.org/changeset/20499/branches/3.3/wp-includes/js/swfobject.js • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 1%CPEs: 80EXPL: 0CVE-2012-2403 – WordPress Core < 3.3.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-2403
20 Apr 2012 — wp-includes/formatting.php in WordPress before 3.3.2 attempts to enable clickable links inside attributes, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. wp-includes/formatting.php en WordPress antes de v3.3.2 intenta habilitar los enlaces 'clicables' dentro de los atributos, lo que hace que facilita a los atacantes remotos a la hora de realizar ataques de ejecución de comandos en sitios cruzados(XSS) a través de vectores no especificados. • http://core.trac.wordpress.org/changeset/20493/branches/3.3/wp-includes/capabilities.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 76EXPL: 0CVE-2012-4033 – Zingiri Web Shop < 2.4.0 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-4033
18 Apr 2012 — Multiple unspecified vulnerabilities in the Zingiri Web Shop plugin before 2.4.0 for WordPress have unknown impact and attack vectors. Múltiples vulnerabilidades no especificadas en el plug-in Zingiri Web Shop antes de v2.4.0 para WordPress tienen un impacto y vectores de ataque desconocidos. The Zingiri Web Shop plugin for WordPress has multiple vulnerabilities in versions up to, and including, 2.3.7. This is due to the inclusion of timthumb.php, along with several cross-site scripting and SQL injection vu... • http://forums.zingiri.com/announcements.php?aid=2 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •