CVE-2016-10972 – Newspaper - News & WooCommerce WordPress Theme <= 6.7 - Arbitrary Options Update
https://notcve.org/view.php?id=CVE-2016-10972
The newspaper theme before 6.7.2 for WordPress has a lack of options access control via td_ajax_update_panel. El tema newspaper versiones anteriores a 6.7.2 para WordPress, posee una falta de opciones de control de acceso mediante la función td_ajax_update_panel. • https://wpvulndb.com/vulnerabilities/8852 https://www.exploit-db.com/exploits/39894 • CWE-269: Improper Privilege Management CWE-862: Missing Authorization •
CVE-2017-18634 – Newspaper - News & WooCommerce WordPress Theme < 6.7.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18634
The newspaper theme before 6.7.2 for WordPress has script injection via td_ads[header] to admin-ajax.php. El tema newspaper versiones anteriores a 6.7.2 para WordPress, presenta una inyección de script por medio de la función td_ads[header] en el archivo admin-ajax.php. • https://blog.sucuri.net/2017/06/unwanted-shorte-st-ads-in-unpatched-newspaper-theme.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •