CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2017-9061 – WordPress Core < 4.7.5 - Stored Cross-Site Scripting via filenames
https://notcve.org/view.php?id=CVE-2017-9061
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename. En WordPress anteriores a 4.7.5, existe una vulnerabilidad XSS (cross-site scripting) al intentar cargar archivos muy grandes, porque el mensaje de error no restringe adecuadamente la presentación del nombre de archivo. • http://www.debian.org/security/2017/dsa-3870 http://www.securityfocus.com/bid/98509 http://www.securitytracker.com/id/1038520 https://codex.wordpress.org/Version_4.7.5 https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6 https://wordpress.org/news/2017/05/wordpress-4-7-5 https://wpvulndb.com/vulnerabilities/8819 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.6EPSS: 0%CPEs: 3EXPL: 0CVE-2017-9062 – WordPress Core < 4.7.5 - Mishandling Post Meta Values via XML-RPC
https://notcve.org/view.php?id=CVE-2017-9062
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API. En WordPress anteriores a 4.7.5, existe una manipulación incorrecta de los valores meta-datos al hacer el post en la API XML-RPC. • http://www.debian.org/security/2017/dsa-3870 http://www.securityfocus.com/bid/98509 http://www.securitytracker.com/id/1038520 https://codex.wordpress.org/Version_4.7.5 https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381 https://wordpress.org/news/2017/05/wordpress-4-7-5 https://wpvulndb.com/vulnerabilities/8816 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-285: Improper Authorization CWE-352: Cross-Site Request Forgery (CSRF) CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2017-9063 – WordPress Core < 4.7.5 - Cross-Site Scripting via Customizer
https://notcve.org/view.php?id=CVE-2017-9063
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session. En WordPress anteriores a 4.7.5, existe una vulnerabilidad de XSS (cross-site scripting) relacionada con la salida del personalizador, en una sesión de personalización no válida. • http://www.debian.org/security/2017/dsa-3870 http://www.securityfocus.com/bid/98509 http://www.securitytracker.com/id/1038520 https://codex.wordpress.org/Version_4.7.5 https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3 https://wordpress.org/news/2017/05/wordpress-4-7-5 https://wpvulndb.com/vulnerabilities/8820 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2017-9064 – WordPress Core < 4.7.5 - Cross-Site Request Forgery Filesystem Credential Update
https://notcve.org/view.php?id=CVE-2017-9064
In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials. En WordPress antes de 4.7.5, existe una vulnerabilidad de Cross Site Request Forgery (CSRF) en el diálogo de credenciales del sistema de archivos porque no se requiere un nonce para actualizar las credenciales. • http://www.debian.org/security/2017/dsa-3870 http://www.securityfocus.com/bid/98509 http://www.securitytracker.com/id/1038520 https://codex.wordpress.org/Version_4.7.5 https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67 https://wordpress.org/news/2017/05/wordpress-4-7-5 https://wpvulndb.com/vulnerabilities/8818 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-9065 – WordPress Core < 4.7.5 - Authorization Bypass Allowing Post Meta Updates
https://notcve.org/view.php?id=CVE-2017-9065
In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API. En WordPress anteriores a 4.7.5, hay una falta de verificaciones de capacidad para el envío de metadatos en la API XML-RPC. • http://www.debian.org/security/2017/dsa-3870 http://www.securityfocus.com/bid/98509 http://www.securitytracker.com/id/1038520 https://codex.wordpress.org/Version_4.7.5 https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4 https://wordpress.org/news/2017/05/wordpress-4-7-5 https://wpvulndb.com/vulnerabilities/8817 • CWE-20: Improper Input Validation CWE-285: Improper Authorization •