CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2009-2854 – WordPress Core < 2.8.3 - Missing Authorization
https://notcve.org/view.php?id=CVE-2009-2854
03 Aug 2009 — Wordpress before 2.8.3 does not check capabilities for certain actions, which allows remote attackers to make unauthorized edits or additions via a direct request to (1) edit-comments.php, (2) edit-pages.php, (3) edit.php, (4) edit-category-form.php, (5) edit-link-category-form.php, (6) edit-tag-form.php, (7) export.php, (8) import.php, or (9) link-add.php in wp-admin/. Wordpress antes de v2.8.3 no comprueba los privilegios de ciertas acciones, lo cual facilita a atacantes remotos a la hora de hacer modific... • http://core.trac.wordpress.org/changeset/11765 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2009-2851 – WordPress Core <= 2.8.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2009-2851
20 Jul 2009 — Cross-site scripting (XSS) vulnerability in the administrator interface in WordPress before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via a comment author URL. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el interfaz de administrador en Wordpress anterior a v2.8.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML de forma arbitraria a través de una URL de comentarios de autor. • https://www.exploit-db.com/exploits/9250 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 101EXPL: 1CVE-2009-2432 – WordPress Core & WordPress MU < 2.8.1 - Full Path Disclosure
https://notcve.org/view.php?id=CVE-2009-2432
10 Jul 2009 — WordPress and WordPress MU before 2.8.1 allow remote attackers to obtain sensitive information via a direct request to wp-settings.php, which reveals the installation path in an error message. WordPress y WordPress MU antes de v2.8.1 permite a atacantes remotos obtener información sensible a través de una solicitud directa a wp-settings.php, el cual revela la ruta de instalación en un mensaje de error. • http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.3EPSS: 95%CPEs: 2EXPL: 3CVE-2009-2335 – WordPress Core & WordPress MU < 2.8.1 - Username Enumeration
https://notcve.org/view.php?id=CVE-2009-2335
09 Jul 2009 — WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience." WordPress y WordPress MU anterior a v2.8.1 expone un comportamiento diferente para un intento fallido de acceso en función de si existe la cuenta de usuario, lo cual permite a atacant... • https://www.exploit-db.com/exploits/17702 • CWE-16: Configuration CWE-204: Observable Response Discrepancy •
CVSS: 5.3EPSS: 1%CPEs: 2EXPL: 2CVE-2009-2336 – WordPress Core & WordPress MU < 2.8.1 - Username Enumeration
https://notcve.org/view.php?id=CVE-2009-2336
09 Jul 2009 — The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience." El interfaz de correo olvidado en WordPress y WordPress MU anterior a v2.8.1 muestra diferentes comportamientos para una petición de contraseña dependiend... • http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked • CWE-16: Configuration CWE-203: Observable Discrepancy •
CVSS: 6.1EPSS: 8%CPEs: 101EXPL: 5CVE-2009-2334 – WordPress Core <= 2.8 - Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2009-2334
09 Jul 2009 — wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify this file, as demonstrated by the (1) collapsing-archives/options.txt, (2) akismet/readme.txt, (3) related-ways-to-take-action/options.php, (4) wp-security-scan/securityscan.php, and (5) wp-ids/ids-admin.php files. NOTE: this can be lev... • https://www.exploit-db.com/exploits/9110 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-287: Improper Authentication •
CVSS: 7.2EPSS: 5%CPEs: 74EXPL: 1CVE-2008-5278 – WordPress Core < 2.6.5 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-5278
28 Nov 2008 — Cross-site scripting (XSS) vulnerability in the self_link function in in the RSS Feed Generator (wp-includes/feed.php) for WordPress before 2.6.5 allows remote attackers to inject arbitrary web script or HTML via the Host header (HTTP_HOST variable). Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la función self_link en el RSS Feed Generator (wp-includes/feed.php) para WordPress versiones anteriores a v2.6.5 permite a atacantes remotos inyectar web script o HTML de su elección a través... • http://osvdb.org/50214 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 1CVE-2008-4796 – Feed2JS File Disclosure
https://notcve.org/view.php?id=CVE-2008-4796
30 Oct 2008 — The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs. La función _httpsrequest function (Snoopy/Snoopy.class.php) en Snoopy 1.2.3 y versiones anteriores, cuando es usada en (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost y posi... • https://packetstorm.news/files/id/127352 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 1%CPEs: 34EXPL: 2CVE-2008-4106 – WordPress Core < 2.6.2 - Arbitrary User Password Reset
https://notcve.org/view.php?id=CVE-2008-4106
08 Sep 2008 — WordPress before 2.6.2 does not properly handle MySQL warnings about insertion of username strings that exceed the maximum column width of the user_login column, and does not properly handle space characters when comparing usernames, which allows remote attackers to change an arbitrary user's password to a random value by registering a similar username and then requesting a password reset, related to a "SQL column truncation vulnerability." NOTE: the attacker can discover the random password by also exploit... • http://marc.info/?l=oss-security&m=122152830017099&w=2 • CWE-20: Improper Input Validation CWE-197: Numeric Truncation Error •
CVSS: 9.8EPSS: 0%CPEs: 45EXPL: 0CVE-2008-3747 – WordPress Core < 2.6.1 - Cryptographic Weakness
https://notcve.org/view.php?id=CVE-2008-3747
15 Aug 2008 — The (1) get_edit_post_link and (2) get_edit_comment_link functions in wp-includes/link-template.php in WordPress before 2.6.1 do not force SSL communication in the intended situations, which might allow remote attackers to gain administrative access by sniffing the network for a cookie. Las funciones (1) get_edit_post_link y (2) get_edit_comment_link en wp-includes/link-template.php de WordPress antes de 2.6.1 no fuerzan comunicación SSL en las situaciones previstas, lo que podría permitir a atacantes remot... • http://trac.wordpress.org/ticket/7359 • CWE-264: Permissions, Privileges, and Access Controls CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') •