CVSS: 5.3EPSS: 0%CPEs: 77EXPL: 0CVE-2013-2203 – WordPress Core < 3.5.2 - Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2013-2203
21 Jun 2013 — WordPress before 3.5.2, when the uploads directory forbids write access, allows remote attackers to obtain sensitive information via an invalid upload request, which reveals the absolute path in an XMLHttpRequest error message. WordPress anterior a v3.5.2, cuando el directorio de archivos prohíbe el acceso de escritura, permite a atacantes remotos obtener información sensible a través de una petición de subida valida, lo que revela la ruta absoluta en un mensaje de error XMLHttpRequest. A denial of service ... • http://codex.wordpress.org/Version_3.5.2 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 78EXPL: 1CVE-2013-2204 – WordPress Core <= 3.5.1 - Content-Spoofing Attacks
https://notcve.org/view.php?id=CVE-2013-2204
21 Jun 2013 — moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not consider the presence of a # (pound sign) character during extraction of the QUERY_STRING, which allows remote attackers to pass arbitrary parameters to a Flash application, and conduct content-spoofing attacks, via a crafted string after a ? (question mark) character. moxieplayer.as en Moxiecode moxieplayer, como es usado en el plugin TinyMCE Media en WordPress anterior a v3.5... • http://codex.wordpress.org/Version_3.5.2 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2013-2173 – WordPress Core <= 3.5.1 - Denial of Service via wp-postpass cookie
https://notcve.org/view.php?id=CVE-2013-2173
13 Jun 2013 — wp-includes/class-phpass.php in WordPress 3.5.1, when a password-protected post exists, allows remote attackers to cause a denial of service (CPU consumption) via a crafted value of a certain wp-postpass cookie. wp-includes/class-phpass.php en WordPress v3.5.1, cuando un password protegido existe, permite a atacantes remotos causar una denegación de servicio (consumo de CPU) mediante una valor especialmente diseñado para cierto cookie wp-postpass. A denial of service flaw was found in the way Wordpress, a b... • http://archives.neohapsis.com/archives/bugtraq/2013-06/0052.html • CWE-310: Cryptographic Issues CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.4EPSS: 0%CPEs: 76EXPL: 1CVE-2013-0236 – WordPress Core < 3.5.1 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-0236
24 Jan 2013 — Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) gallery shortcodes or (2) the content of a post. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en WordPress anteriores a v3.5.1 permite a atacantes remotos a inyectar comandos web o HTML a través de vectores que implican (1) códigos cortos de la galería o (2) contenido de un post. • http://codex.wordpress.org/Version_3.5.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 89EXPL: 1CVE-2013-0237 – WordPress Core < 3.5.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-0237
24 Jan 2013 — Cross-site scripting (XSS) vulnerability in Plupload.as in Moxiecode plupload before 1.5.5, as used in WordPress before 3.5.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the id parameter. Vulnerabilidad de ejecución de comandos en sitios cruzados en Plupload.as en Moxiecode Plupload anteriores a v1.5.5, como el usado en WordPress anteriores a v3.5.1 y otros productos, permiten a atacantes remotos inyectar comandos web o HTML a través del parámetro id. • http://codex.wordpress.org/Version_3.5.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 65%CPEs: 76EXPL: 2CVE-2013-0235 – Wordpress Pingback Locator
https://notcve.org/view.php?id=CVE-2013-0235
24 Jan 2013 — The XMLRPC API in WordPress before 3.5.1 allows remote attackers to send HTTP requests to intranet servers, and conduct port-scanning attacks, by specifying a crafted source URL for a pingback, related to a Server-Side Request Forgery (SSRF) issue. La API XMLRPC en WordPress anteriores a v3.5.1 permite a a atacantes remotos a enviar peticiones HTTP a servidores de la intranet, y conducir ataques de escaneo de puertos, especificando una URL origen manipulada en la respuesta a un ping, relacionado con una fal... • https://packetstorm.news/files/id/181085 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.1EPSS: 1%CPEs: 1EXPL: 0CVE-2012-5868 – WordPress Core < 4.0 - Missing Session Cookie Expiration
https://notcve.org/view.php?id=CVE-2012-5868
20 Dec 2012 — WordPress 3.4.2 does not invalidate a wordpress_sec session cookie upon an administrator's logout action, which makes it easier for remote attackers to discover valid session identifiers via a brute-force attack, or modify data via a replay attack. WordPress v3.4.2 no invalida una cookie de sesión wordpress_sec cookie en una acción de desconexió del administrador, lo que hace que sea más fácil para los atacantes remotos a la hora de descubrir identificadores de sesión válidos a través de un ataque de fuerza... • http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-613: Insufficient Session Expiration •
CVSS: 6.1EPSS: 6%CPEs: 23EXPL: 6CVE-2012-3414 – SWFUpload <= 2.2.0.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-3414
09 Nov 2012 — Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the "ExternalInterface.call" function. Vulnerabilidad XSS (cross-site scripting) en swfupload.swf en SWFUpload v2.2.0.10 y anteriores, tal y como se utilizaba en Wordpress anterior a v3.3.2, TinyMCE Image Manager v1.1, y otros producto... • https://packetstorm.news/files/id/118059 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2012-4448
https://notcve.org/view.php?id=CVE-2012-4448
28 Sep 2012 — Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that modify an RSS URL via a dashboard_incoming_links edit action. Una vulnerabilidad de falsificación de peticiones en sitios cruzados (CSRF) en wp-admin/index.php en WordPress v3.4.2 permite a atacantes remotos secuestrar la autenticación de las solicitudes de administradores que modifican una URL de un RSS a través de una acción de ed... • http://openwall.com/lists/oss-security/2012/09/25/15 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.3EPSS: 0%CPEs: 87EXPL: 1CVE-2012-4421 – WordPress Core < 3.4.2 - Missing Authorization Checks on create_post
https://notcve.org/view.php?id=CVE-2012-4421
06 Sep 2012 — The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature. La función create_post en wp-includes/class-wp-atom-server.php en WordPress antes de v3.4.2 no realiza determinadas comprobaciones, lo que permite a usuarios remotos autenticados eludir ... • http://codex.wordpress.org/Version_3.4.2 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •