CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2010-4257 – WordPress Core <= 3.0.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2010-4257
30 Nov 2010 — SQL injection vulnerability in the do_trackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field. Vulnerabilidad de inyección SQL en la función do_trackbacks en wp-includes/comment.php de WordPress anterior a v3.0.2 permite a los usuarios remotos autenticados ejecutar comandos SQL a su elección a través del campo Send Trackbacks. • http://blog.sjinks.pro/wordpress/858-information-disclosure-via-sql-injection-attack • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 48EXPL: 2CVE-2010-5293 – WordPress Core < 3.0.2 - Spam Protection Bypass
https://notcve.org/view.php?id=CVE-2010-5293
30 Nov 2010 — wp-includes/comment.php in WordPress before 3.0.2 does not properly whitelist trackbacks and pingbacks in the blogroll, which allows remote attackers to bypass intended spam restrictions via a crafted URL, as demonstrated by a URL that triggers a substring match. wp-includes/comment.php en WordPress anterior a la versión 3.0.2 no incluye en lista blanca los trackbacks y pingbacks en el blogroll, lo que permite a atacantes remotos evadir restricciones de SPAM intencionadas mediante una URL manipulada, tal y ... • http://codex.wordpress.org/Version_3.0.2 • CWE-264: Permissions, Privileges, and Access Controls CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.9EPSS: 0%CPEs: 47EXPL: 2CVE-2010-5297 – WordPress Core < 3.0.1 - Missing Authorization
https://notcve.org/view.php?id=CVE-2010-5297
29 Jul 2010 — WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add action after a temporary change. WordPress anterior a la versión 3.0.1, cuando se usa una instalación Multisite, conserva permanentemente la opción "los usuarios pueden añadir administradores al sitio" una vez cambiada, lo que podría... • http://codex.wordpress.org/Changelog/3.0.1 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 1CVE-2010-0682 – WordPress Core < 2.9.2 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2010-0682
15 Feb 2010 — WordPress 2.9 before 2.9.2 allows remote authenticated users to read trash posts from other authors via a direct request with a modified p parameter. WordPress v2.9 anterior a v2.9.2, permite a usuarios autenticados remotamente leer mensajes eliminados de otros autores a través de una petición directa con una modificación en el parámetro "p". • https://www.exploit-db.com/exploits/11441 • CWE-264: Permissions, Privileges, and Access Controls CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.8EPSS: 3%CPEs: 1EXPL: 1CVE-2009-3890 – WordPress Core <= 2.8.5 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2009-3890
17 Nov 2009 — Unrestricted file upload vulnerability in the wp_check_filetype function in wp-includes/functions.php in WordPress before 2.8.6, when a certain configuration of the mod_mime module in the Apache HTTP Server is enabled, allows remote authenticated users to execute arbitrary code by posting an attachment with a multiple-extension filename, and then accessing this attachment via a direct request to a wp-content/uploads/ pathname, as demonstrated by a .php.jpg filename. Vulnerabilidad de subida de archivos sin ... • https://www.exploit-db.com/exploits/10089 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2009-3891 – WordPress Core <= 2.8.5 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2009-3891
17 Nov 2009 — Cross-site scripting (XSS) vulnerability in wp-admin/press-this.php in WordPress before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML via the s parameter (aka the selection variable). Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en wp-admin/press-this.php en WordPress anteriores a v2.8.6 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML a través del parámetro "s" (también conocido como variable selección). • http://core.trac.wordpress.org/attachment/ticket/11119/press-this-xss-bug-11-10-2009.patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 5%CPEs: 1EXPL: 2CVE-2009-3622 – WordPress Core <= 2.8.4 - Denial of Service
https://notcve.org/view.php?id=CVE-2009-3622
20 Oct 2009 — Algorithmic complexity vulnerability in wp-trackback.php in WordPress before 2.8.5 allows remote attackers to cause a denial of service (CPU consumption and server hang) via a long title parameter in conjunction with a charset parameter composed of many comma-separated "UTF-8" substrings, related to the mb_convert_encoding function in PHP. Vulnerabilidad de complejidad algorítmica en wp-trackback.php en WordPress anteriores a v2.8.5 permite a atacantes remotos provocar una denegación de servicio (Consumo de... • http://codes.zerial.org/php/wp-trackbacks_dos.phps • CWE-310: Cryptographic Issues CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.1EPSS: 69%CPEs: 1EXPL: 4CVE-2009-2762 – WordPress Core < 2.8.4 - Forced Password Reset
https://notcve.org/view.php?id=CVE-2009-2762
12 Aug 2009 — wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array. wp-login.php en WordPress v2.8.3 y anteriores que permite a los atacantes remotos a forzar el restablecimiento de la contraseña para el primer usuario en la base de datos, posiblemente el administrador, a través de un key[] array va... • https://www.exploit-db.com/exploits/6421 • CWE-255: Credentials Management Errors CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2009-2854 – WordPress Core < 2.8.3 - Missing Authorization
https://notcve.org/view.php?id=CVE-2009-2854
03 Aug 2009 — Wordpress before 2.8.3 does not check capabilities for certain actions, which allows remote attackers to make unauthorized edits or additions via a direct request to (1) edit-comments.php, (2) edit-pages.php, (3) edit.php, (4) edit-category-form.php, (5) edit-link-category-form.php, (6) edit-tag-form.php, (7) export.php, (8) import.php, or (9) link-add.php in wp-admin/. Wordpress antes de v2.8.3 no comprueba los privilegios de ciertas acciones, lo cual facilita a atacantes remotos a la hora de hacer modific... • http://core.trac.wordpress.org/changeset/11765 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 2%CPEs: 57EXPL: 2CVE-2009-2853 – WordPress Core < 2.8.3 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2009-2853
03 Aug 2009 — Wordpress before 2.8.3 allows remote attackers to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php, (3) edit-form-advanced.php, (4) edit-form-comment.php, (5) edit-link-category-form.php, (6) edit-link-form.php, (7) edit-page-form.php, and (8) edit-tag-form.php in wp-admin/. Wordpress anterior a v2.8.3 permite a atacantes remotos conseguir privilegios a traves de una peticion directa a (1) admin-footer.php, (2) edit-category-form.php, (3) edit-form-advanced.php, (4) e... • http://core.trac.wordpress.org/changeset/11768 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •