CVSS: 8.1EPSS: 0%CPEs: 89EXPL: 0CVE-2012-2401 – WordPress Core <= 3.3.1 - Same Origin Policy Bypass
https://notcve.org/view.php?id=CVE-2012-2401
20 Apr 2012 — Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content. Plupload antes de v1.5.4, tal y como se utiliza en wp-includes/js/plupload/ en WordPress antes de v3.3.2 y otros productos, permite ejecutar secuencias de comandos, independientemente del dominio desde el que se cargó el contenido SWF, lo qu... • http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/plupload/changelog.txt?rev=20487 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.4EPSS: 2%CPEs: 80EXPL: 0CVE-2012-2403 – WordPress Core < 3.3.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-2403
20 Apr 2012 — wp-includes/formatting.php in WordPress before 3.3.2 attempts to enable clickable links inside attributes, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. wp-includes/formatting.php en WordPress antes de v3.3.2 intenta habilitar los enlaces 'clicables' dentro de los atributos, lo que hace que facilita a los atacantes remotos a la hora de realizar ataques de ejecución de comandos en sitios cruzados(XSS) a través de vectores no especificados. • http://core.trac.wordpress.org/changeset/20493/branches/3.3/wp-includes/capabilities.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 80EXPL: 0CVE-2012-2402 – WordPress Core < 3.3.2 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2012-2402
20 Apr 2012 — wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and deactivate network-wide plugins via unspecified vectors. wp-admin/plugins.php en WordPress antes de v3.3.2 permite eludir restricciones de acceso a los administradores autenticados del sitio y desactivar plugins de red a través de vectores no especificados. • http://core.trac.wordpress.org/changeset/20526/branches/3.3/wp-admin/plugins.php • CWE-264: Permissions, Privileges, and Access Controls CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 1%CPEs: 76EXPL: 0CVE-2012-4033 – Zingiri Web Shop < 2.4.0 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-4033
18 Apr 2012 — Multiple unspecified vulnerabilities in the Zingiri Web Shop plugin before 2.4.0 for WordPress have unknown impact and attack vectors. Múltiples vulnerabilidades no especificadas en el plug-in Zingiri Web Shop antes de v2.4.0 para WordPress tienen un impacto y vectores de ataque desconocidos. The Zingiri Web Shop plugin for WordPress has multiple vulnerabilities in versions up to, and including, 2.3.7. This is due to the inclusion of timthumb.php, along with several cross-site scripting and SQL injection vu... • http://forums.zingiri.com/announcements.php?aid=2 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.8EPSS: 2%CPEs: 7EXPL: 4CVE-2012-2109 – BuddyPress - 1.5-1.5.4 - SQL Injection
https://notcve.org/view.php?id=CVE-2012-2109
27 Mar 2012 — SQL injection vulnerability in wp-load.php in the BuddyPress plugin 1.5.x before 1.5.5 of WordPress allows remote attackers to execute arbitrary SQL commands via the page parameter in an activity_widget_filter action. Vulnerabilidad de inyección SQL en wp-load.php en el complemento BuddyPress v1.5.x antes de v1.5.5 para WordPress, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro page en una acción activity_widget_filter • https://www.exploit-db.com/exploits/18690 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 73EXPL: 4CVE-2012-0782 – WordPress Core 3.3.1 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-0782
30 Jan 2012 — Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dbhost, (2) dbname, or (3) uname parameter. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether this specific XSS scenario has security relevance ** CUESTIONADA ** Varias vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en wp-admin/setup-config... • https://www.exploit-db.com/exploits/18417 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 5%CPEs: 73EXPL: 3CVE-2012-0937 – WordPress Core 3.3.1 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-0937
30 Jan 2012 — wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which allows remote attackers to use WordPress as a proxy for brute-force attacks or denial of service attacks via the dbhost parameter, a different vulnerability than CVE-2011-4898. NOTE: the vendor disputes the significance of this issue because an incomplete WordPress installation might be present on the network for only a short time **... • https://www.exploit-db.com/exploits/18417 •
CVSS: 9.3EPSS: 1%CPEs: 73EXPL: 5CVE-2011-4899 – WordPress Core 3.3.1 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2011-4899
30 Jan 2012 — wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database service is appropriate, which allows remote attackers to configure an arbitrary database via the dbhost and dbname parameters, and subsequently conduct static code injection and cross-site scripting (XSS) attacks via (1) an HTTP request or (2) a MySQL query. NOTE: the vendor disputes the significance of this issue; however, remote code execution makes the issue important i... • https://packetstorm.news/files/id/127470 •
CVSS: 7.5EPSS: 5%CPEs: 73EXPL: 4CVE-2011-4898 – WordPress Core 3.3.1 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2011-4898
30 Jan 2012 — wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would... • https://www.exploit-db.com/exploits/18417 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 53EXPL: 1CVE-2012-6527 – My Calendar < 1.10.5 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-6527
18 Jan 2012 — Cross-site scripting (XSS) vulnerability in the My Calendar plugin before 1.10.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. Cross-site scripting (XSS) en el plug-in My Calendar antes de v1.10.2 para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del PATH_INFO. Cross-site scripting (XSS) vulnerability in the My Calendar plugin before 1.10.5 for WordPress allows remote attackers to inject arbitrary web script or HT... • http://plugins.trac.wordpress.org/changeset/490070/my-calendar • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •