CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2012-4448
https://notcve.org/view.php?id=CVE-2012-4448
28 Sep 2012 — Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that modify an RSS URL via a dashboard_incoming_links edit action. Una vulnerabilidad de falsificación de peticiones en sitios cruzados (CSRF) en wp-admin/index.php en WordPress v3.4.2 permite a atacantes remotos secuestrar la autenticación de las solicitudes de administradores que modifican una URL de un RSS a través de una acción de ed... • http://openwall.com/lists/oss-security/2012/09/25/15 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 88EXPL: 1CVE-2012-4422 – WordPress Core < 3.4.2 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2012-4422
06 Sep 2012 — wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated users to make unintended plugin changes by leveraging the Administrator role. wp-admin/plugins.php en WordPress anterior a v3.4.2, cuando la característica multisitio está activada, no comprueba los privilegios de administrador de red antes de llevar a cabo la activ... • http://codex.wordpress.org/Version_3.4.2 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 6.3EPSS: 0%CPEs: 87EXPL: 1CVE-2012-4421 – WordPress Core < 3.4.2 - Missing Authorization Checks on create_post
https://notcve.org/view.php?id=CVE-2012-4421
06 Sep 2012 — The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature. La función create_post en wp-includes/class-wp-atom-server.php en WordPress antes de v3.4.2 no realiza determinadas comprobaciones, lo que permite a usuarios remotos autenticados eludir ... • http://codex.wordpress.org/Version_3.4.2 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2012-3383 – WordPress Core < 3.4.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-3383
22 Jul 2012 — The map_meta_cap function in wp-includes/capabilities.php in WordPress 3.4.x before 3.4.2, when the multisite feature is enabled, does not properly assign the unfiltered_html capability, which allows remote authenticated users to bypass intended access restrictions and conduct cross-site scripting (XSS) attacks by leveraging the Administrator or Editor role and composing crafted text. La función map_meta_cap en el archivo wp-includes/capabilities.php de WordPress versiones 3.4.x anteriores a 3.4.2, cuando l... • http://codex.wordpress.org/Version_3.4.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 18EXPL: 0CVE-2012-6635 – WordPress Core <= 3.3.2 - Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2012-6635
27 Jun 2012 — wp-admin/includes/class-wp-posts-list-table.php in WordPress before 3.3.3 does not properly restrict excerpt-view access, which allows remote authenticated users to obtain sensitive information by visiting a draft. wp-admin/includes/class-wp-posts-list-table.php en WordPress anterior a 3.3.3 no restringe adecuadamente el accesso a la vista-resumen (excerpt-view) lo que permite a los usuarios remotos autenticados obtener información sensible al visitar un proyecto. • http://codex.wordpress.org/Version_3.3.3 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 18EXPL: 0CVE-2012-6634 – WordPress Core <= 3.3.2 - Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2012-6634
27 Jun 2012 — wp-admin/media-upload.php in WordPress before 3.3.3 allows remote attackers to obtain sensitive information or bypass intended media-attachment restrictions via a post_id value. wp-admin/media-upload.php en WordPress anterior a 3.3.3 permite a atacantes remotos obtener información sensible o de evitar restricciones de medios adjuntos a través de un valor post_id. • http://codex.wordpress.org/Version_3.3.3 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.8EPSS: 0%CPEs: 85EXPL: 0CVE-2012-3384 – WordPress Core < 3.4.1 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2012-3384
27 Jun 2012 — Cross-site request forgery (CSRF) vulnerability in the customizer in WordPress before 3.4.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. Una vulnerabilidad de falsificación de peticiones en sitios cruzados(CSRF) en el personalizador de WordPress anterior a v3.4.1 permite a atacantes remotos secuestrar la autenticación de las víctimas no especificadas a través de vectores desconocidos. • http://codex.wordpress.org/Version_3.4.1 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 18EXPL: 0CVE-2012-6633 – WordPress Core <= 3.3.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-6633
27 Jun 2012 — Cross-site scripting (XSS) vulnerability in wp-includes/default-filters.php in WordPress before 3.3.3 allows remote attackers to inject arbitrary web script or HTML via an editable slug field. Vulnerabilidad de Cross-site scripting (XSS) en wp-includes/default-filters.php en WordPress antes de 3.3.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de un campo slug editable. • http://codex.wordpress.org/Version_3.3.3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 85EXPL: 0CVE-2012-3385 – WordPress Core < 3.4.1 - Information Disclosure
https://notcve.org/view.php?id=CVE-2012-3385
27 Jun 2012 — WordPress before 3.4.1 does not properly restrict access to post contents such as private or draft posts, which allows remote authors or contributors to obtain sensitive information via unknown vectors. WordPress anterior a v3.4.1 no restringe el acceso a publicar contenidos tales como los mensajes privados o proyecto, lo que permite a los autores o colaboradores remotos obtener información sensible a través de vectores desconocidos. • http://codex.wordpress.org/Version_3.4.1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-6707 – WordPress Core - Informational - All known Versions - Weak Hashing Algorithm
https://notcve.org/view.php?id=CVE-2012-6707
20 Jun 2012 — WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress wi... • https://core.trac.wordpress.org/ticket/21022 • CWE-261: Weak Encoding for Password CWE-326: Inadequate Encryption Strength •