CVSS: 8.8EPSS: 18%CPEs: 2EXPL: 3CVE-2008-5695 – WordPress Core < 2.3.3 & WordPress MU < 1.3.2 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2008-5695
08 Sep 2007 — wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option, which allows remote authenticated users with manage_options and upload_files capabilities to execute arbitrary code by uploading a PHP script and adding this script's pathname to active_plugins. wp-admin/options.php en versiones de WordPress MU anteriores a la 1.3.2, y WordPress 2.3.2 y anteriores, no valida las solicitudes de actualización de una opción, lo que permit... • https://www.exploit-db.com/exploits/5066 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 1%CPEs: 38EXPL: 0CVE-2008-0664 – WordPress Core < 2.3.3 - Improper Authorization Checks
https://notcve.org/view.php?id=CVE-2008-0664
08 Sep 2007 — The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of other blog users via unknown vectors. La implementación XML-RPC (xmlrpc.php) en versiones anteriores a WordPress 2.3.3, cuando el registro está activado, permite a atacantes remotos editar mensajes de otros usuarios del blog a través de vectores desconocidos. • http://secunia.com/advisories/28823 • CWE-264: Permissions, Privileges, and Access Controls CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.8EPSS: 0%CPEs: 31EXPL: 0CVE-2007-4894 – WordPress Core < 2.2.3 & WordPress MU < 1.2.5a - SQL Injection
https://notcve.org/view.php?id=CVE-2007-4894
08 Sep 2007 — Multiple SQL injection vulnerabilities in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a allow remote attackers to execute arbitrary SQL commands via the post_type parameter to the pingback.extensions.getPingbacks method in the XMLRPC interface, and other unspecified parameters related to "early database escaping" and missing validation of "query string like parameters." Múltiples vulnerabilidades de inyección SQL en Wordpress versiones anteriores a 2.2.3 y Wordpress multi-user (MU) vers... • http://fedoranews.org/updates/FEDORA-2007-214.shtml • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 24EXPL: 3CVE-2007-6318 – WordPress Core < 2.3.2 - SQL Injection
https://notcve.org/view.php?id=CVE-2007-6318
08 Sep 2007 — SQL injection vulnerability in wp-includes/query.php in WordPress 2.3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the s parameter, when DB_CHARSET is set to (1) Big5, (2) GBK, or possibly other character set encodings that support a "\" in a multibyte character. Vulnerabilidad de inyección SQL en wp-includes/query.php en WordPress 2.3.1 y anteriores permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro s, cuando DB_CHARSET está asignado en (1... • https://www.exploit-db.com/exploits/4721 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.1EPSS: 1%CPEs: 47EXPL: 2CVE-2008-2146 – WordPress Core < 2.2.3 - Restriction Bypass
https://notcve.org/view.php?id=CVE-2008-2146
08 Sep 2007 — wp-includes/vars.php in Wordpress before 2.2.3 does not properly extract the current path from the PATH_INFO ($PHP_SELF), which allows remote attackers to bypass intended access restrictions for certain pages. El archivo wp-incluye/vars.php en Wordpress versiones anteriores a 2.2.3, no extrae apropiadamente la ruta (path) actual del PATH_INFO ($PHP_SELF), que permite a atacantes remotos omitir las restricciones de acceso previstas para ciertas páginas. • http://osvdb.org/45188 • CWE-264: Permissions, Privileges, and Access Controls CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 31EXPL: 0CVE-2007-4893 – WordPress Core <= 2.2.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-4893
05 Aug 2007 — wp-admin/admin-functions.php in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a does not properly verify the unfiltered_html privilege, which allows remote attackers to conduct cross-site scripting (XSS) attacks via modified data to (1) post.php or (2) page.php with a no_filter field. wp-admin/admin-functions.php de Wordpress versiones anteriores a 2.2.3 y Wordpress multi-user (MU) versiones anteriores a 1.2.5a no verifican apropiadamente el privilegio unfiltered_html, lo cual permite a a... • http://fedoranews.org/updates/FEDORA-2007-214.shtml • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3639 – WordPress Core < 2.2.2 - Open Redirect
https://notcve.org/view.php?id=CVE-2007-3639
10 Jul 2007 — WordPress before 2.2.2 allows remote attackers to redirect visitors to other websites and potentially obtain sensitive information via (1) the _wp_http_referer parameter to wp-pass.php, related to the wp_get_referer function in wp-includes/functions.php; and possibly other vectors related to (2) wp-includes/pluggable.php and (3) the wp_nonce_ays function in wp-includes/functions.php. WordPress anterior a 2.2.2 permite a atacantes remotos redireccionar a los vistantes a otros sitios web y potencialmente obte... • http://osvdb.org/40802 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2007-3543 – WordPress Core <= 2.2 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2007-3543
03 Jul 2007 — Unrestricted file upload vulnerability in WordPress before 2.2.1 and WordPress MU before 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code by making a post that specifies a .php filename in the _wp_attached_file metadata field; and then sending this file's content, along with its post_ID value, to (1) wp-app.php or (2) app.php. Vulnerabilidad de fichero de archivo no restringido en WordPress anterior a 2.2.1 y WordPress MU anterior a 1.2.3 permite a usuarios autenticados remot... • http://osvdb.org/37295 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2007-3544 – WordPress Core <= 2.2.1 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2007-3544
03 Jul 2007 — Unrestricted file upload vulnerability in (1) wp-app.php and (2) app.php in WordPress 2.2.1 and WordPress MU 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code via unspecified vectors, possibly related to the wp_postmeta table and the use of custom fields in normal (non-attachment) posts. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2007-3543. Vulnerabilidad e envío de archivo no restringido en (1) wp-app.php y (2) app.php de WordPresss 2.2.1 y WordPr... • http://osvdb.org/37294 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 3CVE-2007-2821 – WordPress Core 2.1.3 - 'admin-ajax.php' SQL Injection Blind Fishing
https://notcve.org/view.php?id=CVE-2007-2821
22 May 2007 — SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter. Vulnerabilidad de inyección SQL en wp-admin/admin-ajax.php en WordPress anterior a 2.2 permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro cookie. • https://www.exploit-db.com/exploits/3960 •