Page 19 of 348 results (0.013 seconds)

CVSS: 9.8EPSS: 0%CPEs: 98EXPL: 0

CVE-2014-0165 – WordPress Core < 3.8.2 - Contributor Users Can Publish Posts

https://notcve.org/view.php?id=CVE-2014-0165

08 Apr 2014 — WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php. WordPress anterior a 3.7.2 y 3.8.x anterior a 3.8.2 permite a usuarios remotos autenticados publicar mensajes mediante el aprovechamiento del rol de Colaborador, relacionado con wp-admin/includes/post.php y wp-admin/includes/class-wp-posts-list-table.php. Multiple vulnerabilities have be... • http://codex.wordpress.org/Version_3.7.2 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •

CVSS: 9.1EPSS: 34%CPEs: 98EXPL: 1

CVE-2014-0166 – WordPress Core < 3.8.2 - Authentication Cookie Forgery

https://notcve.org/view.php?id=CVE-2014-0166

08 Apr 2014 — The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. La función wp_validate_auth_cookie en wp-includes/pluggable.php en WordPress anterior a 3.7.2 y 3.8.x anterior a 3.8.2 no determina debidamente la validez de cookies de autenticación, lo que facilita a atacantes remotos obtener acceso a través de u... • https://github.com/Ettack/POC-CVE-2014-0166 • CWE-287: Improper Authentication •

CVSS: 8.8EPSS: 0%CPEs: 11EXPL: 1

CVE-2013-7233 – WordPress Core < 2.1 - Cross-Site Request Forgery to Denial of Service

https://notcve.org/view.php?id=CVE-2013-7233

17 Dec 2013 — Cross-site request forgery (CSRF) vulnerability in the retrospam component in wp-admin/options-discussion.php in WordPress 2.0.11 and earlier allows remote attackers to hijack the authentication of administrators for requests that move comments to the moderation list. V ulnerabilidad Cross-site request forgery (CSRF) en el componente retrospam en wp-admin/options-discussion.php en WordPress 2.0.11 y anteriores permite a atacantes remotos secuestrar la autenticación de los administradores de las solicitudes ... • https://www.exploit-db.com/exploits/38924 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 1

CVE-2013-4340 – WordPress Core < 3.6.1 - Spoof Post Authorship

https://notcve.org/view.php?id=CVE-2013-4340

11 Sep 2013 — wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter. wp-admin/includes/post.php en WordPress anteriores a 3.6.1 permite a usuarios remotos autentificados falsear la autoría de una entrada aprovechando el rol Author y utilizando un parámetro user_ID modificado. Updated wordpress and php-phpmailer packages fix security vulnerabilities. wp-includes/functions.php in WordP... • http://codex.wordpress.org/Version_3.6.1 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •

CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 3

CVE-2013-4339 – WordPress Core < 3.6.1 - Open Redirect

https://notcve.org/view.php?id=CVE-2013-4339

11 Sep 2013 — WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string. WordPress anterior a v3.6.1 no valida adecuadamente las URLs antes de su uso en una redirección HTTP, lo que permite a atacantes remotos evitar las restricciones establecidas a las redirecciones a través de una cadena hecha mano. Updated wordpress and php-phpmailer packages fix security vulnerabilities. wp-includes/functions.ph... • https://packetstorm.news/files/id/123589 • CWE-20: Improper Input Validation CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2013-5738 – WordPress Core < 3.6.1 - HTML File Upload

https://notcve.org/view.php?id=CVE-2013-5738

11 Sep 2013 — The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file. La función get_allowed_mime_types en wp-includes/functions.php de WordPress anterior a 3.6.1 no requiere la capacidad unfiltered_html para subidas de ficheros .htm y .html lo cual podría facilitar a usuarios remo... • http://codex.wordpress.org/Version_3.6.1 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1

CVE-2013-5739 – WordPress Core < 3.6.1 - .swf and .exe File Upload

https://notcve.org/view.php?id=CVE-2013-5739

11 Sep 2013 — The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php. La configuración por defecto de Wordpress anteriores a 3.6.1 no previene la carga de archivos .swf y .exe, lo que podría hacer fácil para un usuario remoto autentificado realizar ataques cross-site scripting (X... • http://codex.wordpress.org/Version_3.6.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 9%CPEs: 1EXPL: 1

CVE-2013-4338 – WordPress Core < 3.6.1 - Deserialization

https://notcve.org/view.php?id=CVE-2013-4338

11 Sep 2013 — wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations. wp-includes/functions.php en WordPress anterior a 3.6.1 no determina apropiadamente si los datos han sido serializados lo que permite a usuarios remotos ejecutar codigo arbitrario lanzando operaciones PHP erróneas de deserialización Updated wordpress and php-phpmailer packages fix security... • http://codex.wordpress.org/Version_3.6.1 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •

CVSS: 9.1EPSS: 0%CPEs: 77EXPL: 0

CVE-2013-2199 – WordPress Core < 3.5.2 - Server Side Request Forgery

https://notcve.org/view.php?id=CVE-2013-2199

21 Jun 2013 — The HTTP API in WordPress before 3.5.2 allows remote attackers to send HTTP requests to intranet servers via unspecified vectors, related to a Server-Side Request Forgery (SSRF) issue, a similar vulnerability to CVE-2013-0235. La HTTP API en WordPress anteriores a v3.5.2 permite a atacantes remotos enviar peticiones HTTP a los servidores de la intranet a través de vectores no especificados, relacionado con peticiones manipuladas del lado del servidor (Server-Side Request Forgery (SSRF)), es similar a CVE-20... • http://codex.wordpress.org/Version_3.5.2 • CWE-264: Permissions, Privileges, and Access Controls CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 6.5EPSS: 0%CPEs: 77EXPL: 0

CVE-2013-2200 – WordPress Core < 3.5.2 - Missing Authorization Checks

https://notcve.org/view.php?id=CVE-2013-2200

21 Jun 2013 — WordPress before 3.5.2 does not properly check the capabilities of roles, which allows remote authenticated users to bypass intended restrictions on publishing and authorship reassignment via unspecified vectors. WordPress anteriores a v3.5.2 no gestionan de forma adecuada las capacidades de los roles, lo que permite a usuarios autenticados a evitar las restricciones de acceso impuestas en la publicación y la reasignación de los autores de la publicación a través de vectores no especificados. A denial of se... • http://codex.wordpress.org/Version_3.5.2 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •