CVSS: 6.4EPSS: 3%CPEs: 1EXPL: 0CVE-2010-4536 – WordPress Core <= 3.0.3 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-4536
29 Dec 2010 — Multiple cross-site scripting (XSS) vulnerabilities in KSES, as used in WordPress before 3.0.4, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the & (ampersand) character, (2) the case of an attribute name, (3) a padded entity, and (4) an entity that is not in normalized form. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en KSES, como las utilizadas en WordPress antes de v3.0.4, permite a atacantes remotos inyectar secue... • http://core.trac.wordpress.org/changeset/17172/branches/3.0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 70EXPL: 1CVE-2010-5106 – WordPress Core < 3.0.3 - Access Control Bypass
https://notcve.org/view.php?id=CVE-2010-5106
08 Dec 2010 — The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote authenticated users to bypass intended access restrictions, and publish, edit, or delete posts, by leveraging the Author or Contributor role. La interfaz de publicación de XML-RPC remoto en xmlrpc.php en WordPress antes de v3.0.3 no realiza correctamente determinadas comprobaciones, lo que permite a usuarios remotos autenticados eludir restricciones de acceso, y publicar,... • http://codex.wordpress.org/Version_3.0.3 • CWE-264: Permissions, Privileges, and Access Controls CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2010-4257 – WordPress Core <= 3.0.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2010-4257
30 Nov 2010 — SQL injection vulnerability in the do_trackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field. Vulnerabilidad de inyección SQL en la función do_trackbacks en wp-includes/comment.php de WordPress anterior a v3.0.2 permite a los usuarios remotos autenticados ejecutar comandos SQL a su elección a través del campo Send Trackbacks. • http://blog.sjinks.pro/wordpress/858-information-disclosure-via-sql-injection-attack • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 48EXPL: 1CVE-2010-5294 – WordPress Core < 3.0.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-5294
30 Nov 2010 — Multiple cross-site scripting (XSS) vulnerabilities in the request_filesystem_credentials function in wp-admin/includes/file.php in WordPress before 3.0.2 allow remote servers to inject arbitrary web script or HTML by providing a crafted error message for a (1) FTP or (2) SSH connection attempt. Múltiples vulnerabilidades cross-site scripting (XSS) en la función request_filesystem_credentials en wp-admin/includes/file.php en WordPress anterior a v3.0.2 la cual permite a servidores remotos inyectar script We... • http://codex.wordpress.org/Version_3.0.2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 48EXPL: 1CVE-2010-5295 – WordPress Core < 3.0.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-5295
30 Nov 2010 — Cross-site scripting (XSS) vulnerability in wp-admin/plugins.php in WordPress before 3.0.2 might allow remote attackers to inject arbitrary web script or HTML via a plugin's author field, which is not properly handled during a Delete Plugin action. Vulnerabilidad de XSS en wp-admin/plugins.php de WordPress anterior a la versión 3.0.2 podría permitir a atacantes remotos inyectar script Web o HTML arbitrario a través del campo de autor del plugin, el cual no es correctamente manejado durante una acción Delete... • http://codex.wordpress.org/Version_3.0.2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 48EXPL: 2CVE-2010-5293 – WordPress Core < 3.0.2 - Spam Protection Bypass
https://notcve.org/view.php?id=CVE-2010-5293
30 Nov 2010 — wp-includes/comment.php in WordPress before 3.0.2 does not properly whitelist trackbacks and pingbacks in the blogroll, which allows remote attackers to bypass intended spam restrictions via a crafted URL, as demonstrated by a URL that triggers a substring match. wp-includes/comment.php en WordPress anterior a la versión 3.0.2 no incluye en lista blanca los trackbacks y pingbacks en el blogroll, lo que permite a atacantes remotos evadir restricciones de SPAM intencionadas mediante una URL manipulada, tal y ... • http://codex.wordpress.org/Version_3.0.2 • CWE-264: Permissions, Privileges, and Access Controls CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.3EPSS: 0%CPEs: 23EXPL: 2CVE-2010-4403 – Register Plus <= 3.5.11 - Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2010-4403
24 Nov 2010 — The Register Plus plugin 3.5.1 and earlier for WordPress allows remote attackers to obtain sensitive information via a direct request to (1) dash_widget.php and (2) register-plus.php, which reveals the installation path in an error message. El complemento Register Plus 3.5.1 y versiones anteriores de WordPress permite a atacantes remotos obtener información confidencial a través de peticiones directas a (1) dash_widget.php y (2) register-plus.php, lo que revela la ruta de instalación en el mensaje de error.... • http://packetstormsecurity.org/files/view/96143/registerplus-xss.txt • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.2EPSS: 0%CPEs: 23EXPL: 2CVE-2010-4402 – Register Plus <= 3.5.11 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-4402
24 Nov 2010 — Multiple cross-site scripting (XSS) vulnerabilities in wp-login.php in the Register Plus plugin 3.5.1 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) firstname, (2) lastname, (3) website, (4) aim, (5) yahoo, (6) jabber, (7) about, (8) pass1, and (9) pass2 parameters in a register action. Multiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en wp-login.php del complemento Register Plus 3.5.1 y versiones anteriores de Wo... • http://osvdb.org/69491 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 47EXPL: 2CVE-2010-5297 – WordPress Core < 3.0.1 - Missing Authorization
https://notcve.org/view.php?id=CVE-2010-5297
29 Jul 2010 — WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add action after a temporary change. WordPress anterior a la versión 3.0.1, cuando se usa una instalación Multisite, conserva permanentemente la opción "los usuarios pueden añadir administradores al sitio" una vez cambiada, lo que podría... • http://codex.wordpress.org/Changelog/3.0.1 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 25%CPEs: 4EXPL: 1CVE-2010-0682 – WordPress Core < 2.9.2 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2010-0682
15 Feb 2010 — WordPress 2.9 before 2.9.2 allows remote authenticated users to read trash posts from other authors via a direct request with a modified p parameter. WordPress v2.9 anterior a v2.9.2, permite a usuarios autenticados remotamente leer mensajes eliminados de otros autores a través de una petición directa con una modificación en el parámetro "p". • https://www.exploit-db.com/exploits/11441 • CWE-264: Permissions, Privileges, and Access Controls CWE-639: Authorization Bypass Through User-Controlled Key •