CVE-2016-4567 – WordPress Core < 4.5.2 - Cross-Site Scripting via MediaElement.js
https://notcve.org/view.php?id=CVE-2016-4567
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn." Vulnerabilidad de XSS en flash/FlashMediaElement.as en MediaElement.js en versiones anteriores a 2.21.0, como se utiliza en WordPress en versiones anteriores a 4.5.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un formulario ofuscado del parámetro jsinitfunction, como es demostrado por "jsinitfunctio%gn". • http://www.openwall.com/lists/oss-security/2016/05/07/2 http://www.securitytracker.com/id/1035818 https://codex.wordpress.org/Version_4.5.2 https://core.trac.wordpress.org/changeset/37371 https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c https://github.com/johndyer/mediaelement/blob/master/changelog.md https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e https://wordpress.org/news/2016/05/wordpress-4-5-2 https://wpvulndb.com/vulnerabilities/8488 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-4566 – WordPress Core < 4.5.2 - Cross-Site Scripting via plupload.flash.swf
https://notcve.org/view.php?id=CVE-2016-4566
Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack. Vulnerabilidad de XSS en plupload.flash.swf en Plupload en versiones anteriores a 2.1.9, como se utiliza en WordPress en versiones anteriores a 4.5.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un ataque Same-Origin Method Execution (SOME). • http://www.openwall.com/lists/oss-security/2016/05/07/2 http://www.plupload.com/punbb/viewtopic.php?pid=28690 http://www.securitytracker.com/id/1035818 https://codex.wordpress.org/Version_4.5.2 https://core.trac.wordpress.org/changeset/37382 https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e https://wordpress.org/news/2016/05/wordpress-4-5-2 https://wpvulndb.com/vulnerabilities/8489 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-6634 – WordPress Core < 4.5 - Cross-Site Scripting via Network Settings Page
https://notcve.org/view.php?id=CVE-2016-6634
Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en la página de configuración de red en WordPress en versiones anteriores a 4.5 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • http://codex.wordpress.org/Version_4.5 http://www.debian.org/security/2016/dsa-3681 http://www.securityfocus.com/bid/92390 https://core.trac.wordpress.org/query?status=closed&milestone=4.5 https://wpvulndb.com/vulnerabilities/8474 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-6635 – WordPress Core < 4.5 - Cross-Site Request Forgery via wp_ajax_wp_compression_test
https://notcve.org/view.php?id=CVE-2016-6635
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPress before 4.5 allows remote attackers to hijack the authentication of administrators for requests that change the script compression option. Vulnerabilidad de CSRF en la función wp_ajax_wp_compression_test en wp-admin/includes/ajax-actions.php en WordPress en versiones anteriores a 4.5 permite a atacantes remotos secuestrar la autenticación de administradores para peticiones que cambian la opción de compresión de la escritura. • http://codex.wordpress.org/Version_4.5 http://www.debian.org/security/2016/dsa-3681 https://github.com/WordPress/WordPress/commit/9b7a7754133c50b82bd9d976fb5b24094f658aab https://wpvulndb.com/vulnerabilities/8475 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2016-2221 – WordPress Core < 4.4.2 - Open Redirect via wp_validate_redirect
https://notcve.org/view.php?id=CVE-2016-2221
Open redirect vulnerability in the wp_validate_redirect function in wp-includes/pluggable.php in WordPress before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL that triggers incorrect hostname parsing, as demonstrated by an https:example.com URL. Vulnerabilidad de redirección abierta en la función wp_validate_redirect en wp-includes/pluggable.php en WordPress en versiones anteriores a 4.4.2 permite a atacantes remotos redirigir a los usuarios a sitios web arbitrarios y llevar acabo ataques de phishing a través de una URL mal formada que desencadena un análisis gramatical del nombre de host incorrecto, según lo demostrado mediante una URL https:example.com. • http://www.debian.org/security/2016/dsa-3472 http://www.securityfocus.com/bid/82463 http://www.securitytracker.com/id/1034933 https://codex.wordpress.org/Version_4.4.2 https://core.trac.wordpress.org/changeset/36444 https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8377 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •