CVSS: 6.3EPSS: 0%CPEs: 87EXPL: 1CVE-2012-4421 – WordPress Core < 3.4.2 - Missing Authorization Checks on create_post
https://notcve.org/view.php?id=CVE-2012-4421
06 Sep 2012 — The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature. La función create_post en wp-includes/class-wp-atom-server.php en WordPress antes de v3.4.2 no realiza determinadas comprobaciones, lo que permite a usuarios remotos autenticados eludir ... • http://codex.wordpress.org/Version_3.4.2 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2012-3383 – WordPress Core < 3.4.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-3383
22 Jul 2012 — The map_meta_cap function in wp-includes/capabilities.php in WordPress 3.4.x before 3.4.2, when the multisite feature is enabled, does not properly assign the unfiltered_html capability, which allows remote authenticated users to bypass intended access restrictions and conduct cross-site scripting (XSS) attacks by leveraging the Administrator or Editor role and composing crafted text. La función map_meta_cap en el archivo wp-includes/capabilities.php de WordPress versiones 3.4.x anteriores a 3.4.2, cuando l... • http://codex.wordpress.org/Version_3.4.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 18EXPL: 0CVE-2012-6635 – WordPress Core <= 3.3.2 - Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2012-6635
27 Jun 2012 — wp-admin/includes/class-wp-posts-list-table.php in WordPress before 3.3.3 does not properly restrict excerpt-view access, which allows remote authenticated users to obtain sensitive information by visiting a draft. wp-admin/includes/class-wp-posts-list-table.php en WordPress anterior a 3.3.3 no restringe adecuadamente el accesso a la vista-resumen (excerpt-view) lo que permite a los usuarios remotos autenticados obtener información sensible al visitar un proyecto. • http://codex.wordpress.org/Version_3.3.3 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 18EXPL: 0CVE-2012-6634 – WordPress Core <= 3.3.2 - Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2012-6634
27 Jun 2012 — wp-admin/media-upload.php in WordPress before 3.3.3 allows remote attackers to obtain sensitive information or bypass intended media-attachment restrictions via a post_id value. wp-admin/media-upload.php en WordPress anterior a 3.3.3 permite a atacantes remotos obtener información sensible o de evitar restricciones de medios adjuntos a través de un valor post_id. • http://codex.wordpress.org/Version_3.3.3 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.8EPSS: 0%CPEs: 85EXPL: 0CVE-2012-3384 – WordPress Core < 3.4.1 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2012-3384
27 Jun 2012 — Cross-site request forgery (CSRF) vulnerability in the customizer in WordPress before 3.4.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. Una vulnerabilidad de falsificación de peticiones en sitios cruzados(CSRF) en el personalizador de WordPress anterior a v3.4.1 permite a atacantes remotos secuestrar la autenticación de las víctimas no especificadas a través de vectores desconocidos. • http://codex.wordpress.org/Version_3.4.1 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 18EXPL: 0CVE-2012-6633 – WordPress Core <= 3.3.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-6633
27 Jun 2012 — Cross-site scripting (XSS) vulnerability in wp-includes/default-filters.php in WordPress before 3.3.3 allows remote attackers to inject arbitrary web script or HTML via an editable slug field. Vulnerabilidad de Cross-site scripting (XSS) en wp-includes/default-filters.php en WordPress antes de 3.3.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de un campo slug editable. • http://codex.wordpress.org/Version_3.3.3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 85EXPL: 0CVE-2012-3385 – WordPress Core < 3.4.1 - Information Disclosure
https://notcve.org/view.php?id=CVE-2012-3385
27 Jun 2012 — WordPress before 3.4.1 does not properly restrict access to post contents such as private or draft posts, which allows remote authors or contributors to obtain sensitive information via unknown vectors. WordPress anterior a v3.4.1 no restringe el acceso a publicar contenidos tales como los mensajes privados o proyecto, lo que permite a los autores o colaboradores remotos obtener información sensible a través de vectores desconocidos. • http://codex.wordpress.org/Version_3.4.1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-6707 – WordPress Core - Informational - All known Versions - Weak Hashing Algorithm
https://notcve.org/view.php?id=CVE-2012-6707
20 Jun 2012 — WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress wi... • https://core.trac.wordpress.org/ticket/21022 • CWE-261: Weak Encoding for Password CWE-326: Inadequate Encryption Strength •
CVSS: 8.8EPSS: 0%CPEs: 83EXPL: 3CVE-2012-1936 – WordPress Core 3.3.1 - Multiple Cross-Site Request Forgery Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-1936
03 May 2012 — The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session, which might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on specific actions and objects by sniffing the network, as demonstrated by attacks against the wp-admin/admin-ajax.php and wp-admin/user-new.php scripts. NOTE: the vendor reportedly disputes the significance of this issue because wp_create_nonce operates ... • https://www.exploit-db.com/exploits/18791 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 1%CPEs: 80EXPL: 0CVE-2012-2399 – WordPress Core <= 3.5.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-2399
21 Apr 2012 — Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter, a different vulnerability than CVE-2012-3414. Vulnerabilidad no especificada en wp-includes/js/swfupload/swfupload.swf en WordPress antes de v3.3.2 tiene un impacto y vectores de ataque desconocidos. • http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/swfupload/swfupload.swf?rev=20503 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •