CVSS: 9.8EPSS: 19%CPEs: 1EXPL: 4CVE-2015-2314 – WPML <= 3.1.9 - SQL Injection via lang Parameter
https://notcve.org/view.php?id=CVE-2015-2314
10 Mar 2015 — SQL injection vulnerability in the WPML plugin before 3.1.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the lang parameter in the HTTP Referer header in a wp-link-ajax action to comments/feed. Vulnerabilidad de inyección SQL en el plugin WPML anterior a 3.1.9 de WordPress permite a atacantes remotos ejecutar comandos arbitrarios SQL a través del parámetro lang en la cabecera Referer HTTP en la acción wp-link-ajax a comments/feed. SQL injection vulnerability in the WPML plugin... • https://www.exploit-db.com/exploits/36414 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 14%CPEs: 1EXPL: 4CVE-2015-2791 – WPML <= 3.1.9 - Arbitrary Deletion of Content
https://notcve.org/view.php?id=CVE-2015-2791
10 Mar 2015 — The "menu sync" function in the WPML plugin before 3.1.9 for WordPress allows remote attackers to delete arbitrary posts, pages, and menus via a crafted request to sitepress-multilingual-cms/menu/menus-sync.php. La función 'menu sync' en el plugin WPML anterior a 3.1.9 para WordPress permite a atacantes remotos eliminar mensajes, páginas y menús arbitrarios a través de una solicitud manipulada a sitepress-multilingual-cms/menu/menus-sync.php. • https://www.exploit-db.com/exploits/36414 • CWE-264: Permissions, Privileges, and Access Controls CWE-284: Improper Access Control •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 3CVE-2015-2792 – WPML < 3.1.8 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2015-2792
02 Mar 2015 — The WPML plugin before 3.1.9 for WordPress does not properly handle multiple actions in a request, which allows remote attackers to bypass nonce checks and perform arbitrary actions via a request containing an action POST parameter, an action GET parameter, and a valid nonce for the action GET parameter. El plugin WPML anterior a 3.1.9 para WordPress no maneja correctamente las acciones múltiples en una solicitud, lo que permite a atacantes remotos evadir las comprobaciones nonce y realizar acciones arbitra... • http://klikki.fi/adv/wpml.html • CWE-284: Improper Access Control •