CVSS: 10.0EPSS: 1%CPEs: 4EXPL: 0CVE-2011-3125 – WordPress Core < 3.1.3 - Security Hardening
https://notcve.org/view.php?id=CVE-2011-3125
25 May 2011 — Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Various security hardening." Vulnerabilidad no especificada en WordPress v3.1 anterior a v3.1.3 y 3.2 anterior a Beta 2 tiene un impacto y vectores de ataque desconocidos relacionados con "Varios robustecimientos de la seguridad". • http://secunia.com/advisories/49138 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2011-3130 – WordPress Core <= 3.1.2 - SQL Injection
https://notcve.org/view.php?id=CVE-2011-3130
25 May 2011 — wp-includes/taxonomy.php in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Taxonomy query hardening," possibly involving SQL injection. wp-includes/taxonomy.php de WordPress 3.1 anteriores a la versión 3.1.3 y 3.2 anteriores a Beta 2 tiene un impacto desconocido y vectores de ataque relacionados con "Taxonomy query hardening", posiblemente involucrando inyección SQL. • http://secunia.com/advisories/49138 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 1%CPEs: 4EXPL: 0CVE-2011-3126 – WordPress Core < 3.1.3 - Username Enumeration
https://notcve.org/view.php?id=CVE-2011-3126
25 May 2011 — WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 allows remote attackers to determine usernames of non-authors via canonical redirects. WordPress 3.1 anteriores a 3.1.3 y 3.2 anteriores a Beta 2 permite a atacantes remotos determinar nombres de usuario de no-autores a través de redirecciones "canonical". • http://secunia.com/advisories/49138 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-204: Observable Response Discrepancy •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2011-3127 – WordPress Core < 3.1.3 - Clickjacking
https://notcve.org/view.php?id=CVE-2011-3127
25 May 2011 — WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 does not prevent rendering for (1) admin or (2) login pages inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. WordPress v3.1 anterior a 3.1.3 y v3.2 anterior a Beta 2, no previene adecuadamente el renderizado de las páginas (1) admin o (2) login dentro de un marco en un documento HTML de terceras partes, esto facilita a los atacantes remotos realizar ataques de cli... • http://secunia.com/advisories/49138 • CWE-20: Improper Input Validation CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2011-1762 – WordPress Core < 3.1.2 - Incorrect Authorization for Contributor-level users
https://notcve.org/view.php?id=CVE-2011-1762
26 Apr 2011 — A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post as if they had 'publish_posts' permission. Se presenta un fallo en Wordpress relacionado con el script "wp-admin/press-this.php" que comprueba incorrectamente los permisos de usuario cuando son publicados posts. Esto puede permitir que un usuario con privilegios de tipo "Contributor-level" publique como si tuv... • https://wordpress.org/support/wordpress-version/version-3-1-2 • CWE-276: Incorrect Default Permissions CWE-284: Improper Access Control •
CVSS: 6.3EPSS: 0%CPEs: 6EXPL: 1CVE-2011-5270 – WordPress Core < 3.0.6 - Incorrect Authorization Checks
https://notcve.org/view.php?id=CVE-2011-5270
26 Apr 2011 — wp-admin/press-this.php in WordPress before 3.0.6 does not enforce the publish_posts capability requirement, which allows remote authenticated users to perform publish actions by leveraging the Contributor role. wp-admin/press-this.php en WordPress anterior a la versión 3.0.6 no cumple los requisitos de capacidad publish_posts, lo que permite a usuarios remotos autenticados realizar acciones de publicación mediante el aprovechamiento del rol de Contributor. • http://codex.wordpress.org/Version_3.0.6 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •
CVSS: 6.4EPSS: 0%CPEs: 75EXPL: 0CVE-2011-4956 – WordPress Core <= 3.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-4956
05 Apr 2011 — Cross-site scripting (XSS) vulnerability in WordPress before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en WordPress antes de v3.1.1, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://secunia.com/advisories/44038 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 2%CPEs: 75EXPL: 0CVE-2011-4957 – WordPress Core < 3.1.1 - Denial of Service
https://notcve.org/view.php?id=CVE-2011-4957
05 Apr 2011 — The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many recursive calls. La función make_clickable en wp-includes/formatting.php en WordPress antes de v3.1.1 no comprueba las URL correctamente antes de pasarlas a la biblioteca PCRE, lo que permite a atacantes remotos provocar una denegación de ... • http://core.trac.wordpress.org/ticket/16892 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 0CVE-2011-0701 – WordPress Core < 3.0.5 - Improper Authorization to Information Disclosure
https://notcve.org/view.php?id=CVE-2011-0701
07 Feb 2011 — wp-admin/async-upload.php in the media uploader in WordPress before 3.0.5 allows remote authenticated users to read (1) draft posts or (2) private posts via a modified attachment_id parameter. wp-admin/async-upload.php en media uploader en WordPress anterior a v3.0.5 permite a usuarios remotos autenticados leer (1) posts borradores o (2) posts privados a través del parámetro modificado attachment_id. • http://codex.wordpress.org/Version_3.0.5 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-285: Improper Authorization •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2011-3818 – WordPress Core 2.9.2 and 3.0.4 - Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2011-3818
28 Jan 2011 — WordPress 2.9.2 and 3.0.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by wp-admin/includes/user.php and certain other files. WordPress v2.9.2 y v3.0.4 permiten a atacantes remotos obtener información sensible a través de una petición directa a un archivo .php, lo que revela la ruta de instalación en un mensaje de error, como se demostró con wp-admin/includes/user.php y algunos otros arch... • http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •