CVSS: 6.1EPSS: 0%CPEs: 73EXPL: 4CVE-2012-0782 – WordPress Core 3.3.1 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-0782
30 Jan 2012 — Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dbhost, (2) dbname, or (3) uname parameter. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether this specific XSS scenario has security relevance ** CUESTIONADA ** Varias vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en wp-admin/setup-config... • https://www.exploit-db.com/exploits/18417 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.3EPSS: 4%CPEs: 73EXPL: 5CVE-2011-4899 – WordPress Core 3.3.1 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2011-4899
30 Jan 2012 — wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database service is appropriate, which allows remote attackers to configure an arbitrary database via the dbhost and dbname parameters, and subsequently conduct static code injection and cross-site scripting (XSS) attacks via (1) an HTTP request or (2) a MySQL query. NOTE: the vendor disputes the significance of this issue; however, remote code execution makes the issue important i... • https://packetstorm.news/files/id/127470 •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2011-1762 – WordPress Core < 3.1.2 - Incorrect Authorization for Contributor-level users
https://notcve.org/view.php?id=CVE-2011-1762
26 Apr 2011 — A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post as if they had 'publish_posts' permission. Se presenta un fallo en Wordpress relacionado con el script "wp-admin/press-this.php" que comprueba incorrectamente los permisos de usuario cuando son publicados posts. Esto puede permitir que un usuario con privilegios de tipo "Contributor-level" publique como si tuv... • https://wordpress.org/support/wordpress-version/version-3-1-2 • CWE-276: Incorrect Default Permissions CWE-284: Improper Access Control •
CVSS: 6.3EPSS: 0%CPEs: 6EXPL: 1CVE-2011-5270 – WordPress Core < 3.0.6 - Incorrect Authorization Checks
https://notcve.org/view.php?id=CVE-2011-5270
26 Apr 2011 — wp-admin/press-this.php in WordPress before 3.0.6 does not enforce the publish_posts capability requirement, which allows remote authenticated users to perform publish actions by leveraging the Contributor role. wp-admin/press-this.php en WordPress anterior a la versión 3.0.6 no cumple los requisitos de capacidad publish_posts, lo que permite a usuarios remotos autenticados realizar acciones de publicación mediante el aprovechamiento del rol de Contributor. • http://codex.wordpress.org/Version_3.0.6 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •
CVSS: 6.4EPSS: 0%CPEs: 75EXPL: 0CVE-2011-4956 – WordPress Core <= 3.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-4956
05 Apr 2011 — Cross-site scripting (XSS) vulnerability in WordPress before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en WordPress antes de v3.1.1, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://secunia.com/advisories/44038 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 75EXPL: 0CVE-2011-4957 – WordPress Core < 3.1.1 - Denial of Service
https://notcve.org/view.php?id=CVE-2011-4957
05 Apr 2011 — The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many recursive calls. La función make_clickable en wp-includes/formatting.php en WordPress antes de v3.1.1 no comprueba las URL correctamente antes de pasarlas a la biblioteca PCRE, lo que permite a atacantes remotos provocar una denegación de ... • http://core.trac.wordpress.org/ticket/16892 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2011-0701 – WordPress Core < 3.0.5 - Improper Authorization to Information Disclosure
https://notcve.org/view.php?id=CVE-2011-0701
07 Feb 2011 — wp-admin/async-upload.php in the media uploader in WordPress before 3.0.5 allows remote authenticated users to read (1) draft posts or (2) private posts via a modified attachment_id parameter. wp-admin/async-upload.php en media uploader en WordPress anterior a v3.0.5 permite a usuarios remotos autenticados leer (1) posts borradores o (2) posts privados a través del parámetro modificado attachment_id. • http://codex.wordpress.org/Version_3.0.5 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-285: Improper Authorization •
CVSS: 5.4EPSS: 0%CPEs: 48EXPL: 1CVE-2010-5296 – WordPress Core < 3.0.2 - Missing Authorization
https://notcve.org/view.php?id=CVE-2010-5296
30 Dec 2010 — wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for the delete_users capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action. wp-includes/capabilities.php en WordPress anterior a la versión 3.0.2, cuando se usa una configuración Multisite, no requiere el rol Super Admin para la capacidad delete_users, lo que permite a administradores remotos autenticados evadi... • http://codex.wordpress.org/Version_3.0.2 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 1%CPEs: 1EXPL: 0CVE-2010-4536 – WordPress Core <= 3.0.3 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-4536
29 Dec 2010 — Multiple cross-site scripting (XSS) vulnerabilities in KSES, as used in WordPress before 3.0.4, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the & (ampersand) character, (2) the case of an attribute name, (3) a padded entity, and (4) an entity that is not in normalized form. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en KSES, como las utilizadas en WordPress antes de v3.0.4, permite a atacantes remotos inyectar secue... • http://core.trac.wordpress.org/changeset/17172/branches/3.0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 70EXPL: 1CVE-2010-5106 – WordPress Core < 3.0.3 - Access Control Bypass
https://notcve.org/view.php?id=CVE-2010-5106
08 Dec 2010 — The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote authenticated users to bypass intended access restrictions, and publish, edit, or delete posts, by leveraging the Author or Contributor role. La interfaz de publicación de XML-RPC remoto en xmlrpc.php en WordPress antes de v3.0.3 no realiza correctamente determinadas comprobaciones, lo que permite a usuarios remotos autenticados eludir restricciones de acceso, y publicar,... • http://codex.wordpress.org/Version_3.0.3 • CWE-264: Permissions, Privileges, and Access Controls CWE-284: Improper Access Control •