Page 19 of 256 results (0.025 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php. Vulnerabilidad de CSRF en la funcionalidad de modo de accesibilidad de edición de widget en WordPress en versiones anteriores a 4.7.1 permite a atacantes remotos secuestrar la autenticación de victimas no especificadas para solicitudes que realizan una acción de acceso a widgets, relacionado con wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php. • http://www.debian.org/security/2017/dsa-3779 http://www.openwall.com/lists/oss-security/2017/01/14/6 http://www.securityfocus.com/bid/95407 http://www.securitytracker.com/id/1037591 https://codex.wordpress.org/Version_4.7.1 https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733 https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8720 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme, related to wp-admin/includes/class-theme-installer-skin.php. Vulnerabilidad de XSS en la funcionalidad de retorno de nombre de tema en wp-includes/class-wp-theme.php en WordPress en versiones anteriores a 4.7.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un nombre de directorio manipulado de un tema, relacionado con wp-admin/includes/class-theme-installer-skin.php. • http://www.debian.org/security/2017/dsa-3779 http://www.openwall.com/lists/oss-security/2017/01/14/6 http://www.securityfocus.com/bid/95402 http://www.securitytracker.com/id/1037591 https://codex.wordpress.org/Version_4.7.1 https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359 https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8718 https://www.mehmetince.net/low-severity-wordpress • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup. wp-includes/ms-functions.php en la API Multisite WordPress en WordPress en versiones anteriores a 4.7.1 no elige adecuadamente los números aleatorios para claves, lo que hace que más fácil para atacantes remotos eludir las restricciones destinadas al acceso a través de una inscripción del (1) sitio o (2) usuario manipulado. • http://www.debian.org/security/2017/dsa-3779 http://www.openwall.com/lists/oss-security/2017/01/14/6 http://www.securityfocus.com/bid/95401 http://www.securitytracker.com/id/1037591 https://codex.wordpress.org/Version_4.7.1 https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4 https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8721 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •

CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0

wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name. wp-mail.php en WordPress en versiones anteriores a 4.7.1 podría permitir a atacantes remotos eludir las restricciones de publicación previstas a través de un servidor de correo falsificado con el nombre mail.example.com. • http://www.debian.org/security/2017/dsa-3779 http://www.openwall.com/lists/oss-security/2017/01/14/6 http://www.securityfocus.com/bid/95406 http://www.securitytracker.com/id/1037591 https://codex.wordpress.org/Version_4.7.1 https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8719 • CWE-285: Improper Authorization CWE-1188: Initialization of a Resource with an Insecure Default •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload. Vulnerabilidad de CSRF en WordPress en versiones anteriores a 4.7.1 permite a atacantes remotos secuestrar la autenticación de victimas no especificadas a través de vectores que implican una carga de archivo Flash. • http://www.debian.org/security/2017/dsa-3779 http://www.openwall.com/lists/oss-security/2017/01/14/6 http://www.securityfocus.com/bid/95399 http://www.securitytracker.com/id/1037591 https://codex.wordpress.org/Version_4.7.1 https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8717 • CWE-352: Cross-Site Request Forgery (CSRF) •